Exam questions
Identify four risk management roles of a risk management committee. (study guide)
• Formulation of strategy and policy • Compile group risk register • Receive reports from divisions • Track RM activity in the divisions
Describe four characteristics of a risk aware culture
• Leadership - Strong leadership within the organization in relation to strategy, projects and operations • Involvement - Involvement of all stakeholders in all stages of the risk management process • Learning - Emphasis on training in risk management procedures and learning from events • Accountability - Absence of an automatic blame culture, but appropriate accountability for actions • Communication - Communication and openness on all risk management issues and the lessons learnt
Describe the five key elements of effective corporate governance
• Leadership, (Board) • Effectiveness • Accountability • Remuneration • Relations and shareholders
Describe four post-implementation difficulties for the company in storing information on its RMIS.
Considerable effort may be required by management to enter the information (both initially and on an ongoing basis) It may take some time before the benefits of the RMIS become visible, resulting in disillusionment towards the system. RM information is collected as a separate stream of management information (MI) that is not seen as relevant to the day-to-day activities of the business and may still be compiled in different ways in different locations Access to the information may be difficult, especially in case of emergency and this may be critically important if the disaster recovery plan has to be implemented Ongoing maintenance from the supplier could result in higher than expected post- implementation management costs as well as disruption to the service; made worse if supplier is not available as problems occur. There is a danger of relying on an external provider for system's maintenance, including security issues as well as possible loss of system availability Similarly, termination or renewal of the supplier agreement may result in unforeseen or higher costs
Correct the following ISO 31000's meaning of 'risk' "Risk is the effect of uncertainty on objectives. Note that an effect may be positive or negative. Also, risk is often described as an outcome, a change in likelihood or (a) consequence."
"Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence."
Explain the benefit of identifying the inherent level of risk
"Identifying the inherent level of the risk makes it possible to identify the importance of the control measures in place. The IIA has previously held the view that the assessment of all risks should commence with the identification of the inherent level of the risk. The guidance from the IIA has previously stated that: 'in the risk assessment, we look at the inherent risks before considering any controls.'"
Correct the following statement - "the organization's risk priorities for the present year form part of the protocols of the risk management framework".
"the organization's risk priorities for the present year form part of the strategy of the risk management framework"
Draw a suitably labelled risk matrix, which shows the optimal risk appetite, risk exposure and risk capacity.
( y axis= impact, x axis= likelihood, 4 shaded zones ( lightest then darkest on the edge - comfort/cautious/concerned/critical) two curves 1st is risk exposure 2nd is risk capacity)
Discuss three different ways in which you could train the senior executive team in their risk management responsibilities, giving an advantage and disadvantage of each.
. One-to-one coaching Advantages: immediate, interactive, opportunity to maximise time with an individual. Disadvantages: time consuming, cost, less opportunity to interact with peers. II. Group training session Advantages: immediate, interactive, opportunity for synergy, shared message Disadvantages: time consuming, cost, more difficult to manage, availabilities. III. Computer based training Advantages: individual can work through at own pace, shared message, time can be selected by the individual Disadvantages: less interactive, harder to assess real understanding, too simplistic Other options include facilitated workshop, coaching, on the job mentoring etc.
List four steps that will help you achieve the successful ERM in your organisation.
1 Engage senior management and board of directors to provide organizational support and resources. 2 Establish an independent ERM function reporting directly to a board member. 3 Establish the risk architecture at executive and board levels, supported by internal audit. 4 Develop the ERM framework that incorporates an appropriate risk classification system. 5 Develop a risk aware culture fostered by a common language, training and education. 6 Provide written procedures with a clear statement of the risk appetite of the organization. 7 Agree monitoring and reporting against established objectives for risk management. 8 Undertake risk assessments to identify accumulations and interdependencies of risk. 9 Integrate ERM into strategic planning, business processes and operational success. 10 Contribute to the success of the organization by delivering measurable benefits
Identify six stages that could be involved in developing the risk appetite statement for this charity.
1 Has the board and management team reviewed the capabilities of the organisation to manage the risks that it faces? 2 What are the main features of the organisation's risk culture in terms of tone at the top? Governance? Competency? Decision making? 3 Does an understanding of risk permeate the organisation and its culture? 4 Is management incentivised for good risk management? 5 How much does the organisation spend on risk management each year? How much does it need to spend? 6 How mature is risk management in the organisation? Is the view consistent at differing levels of the organisation? Is the answer to these questions based on evidence or speculation? 7 Does the organisation understand clearly why and how it engages with risks? 8 Is the organisation addressing all relevant risks or only those that can be captured in risk management processes? 9 Does the organisation have a framework for responding to risks? 10 Who are the key external stakeholders and have sufficient soundings been taken of their views? Are those views dealt with appropriately in the final framework? 11 Has the organisation followed a robust approach to developing its risk appetite? 12 Did the risk appetite undergo appropriate approval processes, including at the board (or risk oversight committee)? 13 Is the risk appetite tailored and proportionate to the organisation? 14 What is the evidence that the organisation has implemented the risk appetite effectively? Another option: 1. Obtain mandate and commitment for this activity from the Board or a risk management committee 2. Gather information about attitudes to risk from an internal analysis - what decisions has the company taken with regard to risk in recent years, what is the current level of risk exposure we are likely to face, what is our capacity to manage risk, should it occur (what losses can we afford) 3. Gather information from an external analysis - this could include expectations of key stakeholders and industry attitudes to risk. 4. Gather information about the investment intentions that the company wants to incur on risk activities (it's likely that the higher the willing ness to spend, the lower the risk appetite) 5. Consider appropriate risk appetite levels for different classes of risks based on the above analysis 6. Draft an initial risk appetite statement (perhaps for the different classes of risk) and consult again with internal and external stakeholders about its appropriateness, then refine formalize, finalize and communicate
Identify six stages that could be involved in developing the risk appetite statement for this charity- Hopkins
1 Identify stakeholders and their expectations, making reference to the possible range of stakeholders, as defined by CSFSRS. 2 Define the charity-wide risk exposure through an analysis of strategy, tactics and operations, as set out in the risk register. 3 Establish the desired level of risk exposure that will lead to a risk appetite statement, that provides a set of qualitative and quantitative statements. 4 Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances. 5 Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring exposure in line with risk appetite. 6 Formalize and ratify a risk appetite statement, communicate the statement with stakeholders and implement accordingly.
Identify four risk management roles of a risk management committee. (Hopkin)
1 Provide assurance to the board that risks to achieving excellence in governance are being effectively understood, managed and mitigated 2. Identify significant risks that the board needs to consider in detail 3 Identify that the risk management strategy and policy is implemented consistently across the organization 4 Monitor and ensure the effectiveness of risk management governance systems 5 Ensure that the risk register is fit for purpose and meets requirements sufficient for the board to discharge statutory functions
Hopkin- Seven principles for governance in the government sector.
1 Selflessness - Holders of public office should act solely in terms of the public interest and should not seek benefits for themselves, their family or friends. 2 integrity - Holders of public office should not place themselves under any financial or other obligation to outside individuals or organizations. 3 Objectivity - In carrying out public business, the holders of public office should make choices on merit. 4 accountability- Holders of public office are accountable for their decisions and actions to the public and must submit themselves to appropriate scrutiny. 5 Openness - Holders of public office should be as open as possible about all the decisions and actions that they take and give reasons for their decisions. 6 Honesty- Holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts. 7 leadership - Holders of public office should promote and support these principles by leadership and example.
Identify four risk management roles of a risk management committee.
1 To advise the board on risk management and to foster a culture that emphasizes and demonstrates the benefits of a risk-based approach to risk management 2 To make appropriate recommendations to the board on all significant matters relating to the risk strategy and policies of the company 3 To monitor the performance of the risk management systems and review reports prepared by relevant parties 4 To keep under review the effectiveness of the risk management infrastructure of the company, including: ● assessment of risk management procedures in accordance with changes in the operating environment ● consideration of risk audit reports on the key business areas to assess the level of business risk exposure ● consideration of any major findings of any risk management reviews and the response of management ● assessment of the risks of new ventures and other strategic, project and operational initiatives 5 To review the risk exposure of the company in relation to the risk appetite of the board and the risk capacity of the company 6 To consider the development of risk management and make appropriate recommendations to the board 7. To consider whether disclosure of information regarding risk management policies and key risk exposures is in accordance with financial reporting standards
Hopkin- six alternative corporate governance principles from the OECD:
1 effective corporate governance framework - Promote transparent and efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities. 2 rights of shareholders - Protect and facilitate the exercise of the rights of shareholders. 3 equitable treatment of shareholders - Equitable treatment of all shareholders, including minority and foreign shareholders. 4 role of stakeholders in corporate governance - Recognize the rights of stakeholders and encourage active co-operation in creating wealth, jobs and sustainability. 5 Disclosure and transparency - Timely and accurate disclosure is made on all material matters, including the financial situation, performance, ownership and governance. 6 responsibilities of the board - Strategic guidance of the company, effective monitoring of management by the board and accountability of the board to the company and shareholders.
Two main benefits of a RMIS for an organisation with multiple divisions and departments contributing information to a central risk management team.
1. It helps the central risk management team analyse and manage information and acts as a tool that binds together the work that the central risk team and operating divisions carry out. 2. It also helps ensure uniformity of data gathering, storage and analysis, reduces potential for errors and omissions compared to spreadsheets
Define what is meant by the 'information and communication' phase of the COSO ERM framework.
1. Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity
Summarise the main principles of the UK Corporate Governance Code.
1: Leadership - Every company should be headed by an effective board which is collectively responsible for the long-term success of the company. 2: Effectiveness - The board and its committees should have the appropriate balance of skills, experience, independence and knowledge of the company to enable them to discharge their respective duties and responsibilities effectively. 3: Accountability - The board should present a fair, balanced and understandable assessment of the company's position and prospects. The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems. 4: Remuneration - Executive directors' remuneration should be designed to promote the long-term success of the company. Performance-related elements should be transparent, stretching and rigorously applied. There should be a formal and transparent procedure for developing policy on executive remuneration and for fixing the remuneration packages of individual directors. No director should be involved in deciding his or her own remuneration. 5: Relations with shareholders - There should be a dialogue with shareholders based on the mutual understanding of objectives. The board as a whole has responsibility for ensuring that a satisfactory dialogue with shareholders takes place. The board should use general meetings to communicate with investors and to encourage their participation.
Organisation X's business premises has been destroyed by fire. According to Hopkin's risk categorisations, state what type of risk has materialised
A Hazard or pure risk
Explain how a focus on CSR activities can help enhance your organisation's reputation.
A focus on CSR activities can help an organisation's reputation in a number of ways, including: - Protecting and enhancing reputation, brand and trust - Attracting, motivating and retaining talent - Managing and mitigating risk - Developing new business opportunities - Creating a more secure and prosperous operating environment - Being recognised as a good neighbour in the communities in which we operate
Analyse two examples of real world cases, where failings in risk culture led to major losses in an organisation. NOTE: You should show clearly the link between the culture failure and the losses subsequently experienced.
A good quality answer will do two things (i) discuss the losses that occurred and (ii) explain why a risk culture problem was a direct contributor to the losses.For this reason, we are looking for 'downside' rather than 'upside' issues, The IRM Risk Culture guide (IRM: 2012) provides five examples of failures in risk culture, which resulted in major losses or disadvantages to the relevant organisation; these include: JPMorgan Chase (p6) Eastman Kodak (p9) BP (p13) Barclays Bank (p15) Royal Bank of Scotland (p17) Hopkin (2014:118) provides one example of a risk culture failure that resulted in a rail crash.
Describe five aspects the board should take account of when considering risk management for its organisation along with the benefits that can arise
Aspects: Paragraphs 34 and (especially) 35 of the FRC CG code 2014 provide the answer to this question. 34. The (Board should ensure) the design of a robust assessment process to determine the principal risks and consider their implications for the company should be appropriate to the complexity, size and circumstances of the company and is a matter for the judgement of the board, with the support of management. Circumstances may vary over time with changes in the business model, performance, strategy, operational processes and the stage of development the company has reached in its own business cycles, as well as with changes in the external environment. When considering risk the board should consider the following aspects: • the nature and extent of the risks, including principal risks, facing, or being taken by, the company which it regards as desirable or acceptable for the company to bear; • the likelihood of the risks concerned materialising, and the impact of related risks materialising as a result or at the same time; • the company's ability to reduce the likelihood of the risks materialising, and of the impact on the business of risks that do materialise; • the exposure to risks before and after risks are managed or mitigated, as appropriate; • the operation of the relevant controls and control processes; • the effectiveness and relative costs and benefits of particular controls; and • the impact of the values and culture of the company, and the way that teams and individuals are incentivised, on the effectiveness of the systems. Aspects means in effect, what the Board should do with regards to risk management. In some respects therefore, candidates could also refer to the contents of table 9.1 (although these are based on the CEO's role only); certainly though it's important to state that the Board has overall responsibility for risk management (p103) The benefits: The benefits of this oversight are similar to the general benefits of good, mature risk management, which were covered also in Module 1 - In that sense, the MADE2 analysis could be acceptable (see for example Hopkin table 5.2). So this includes (most importantly from a Governance point of view), achievement of strategic objectives (directional control), compliance with laws and regulations, better decision making based on a pre-understanding of risk, more reliable reporting to stakeholders and thus improving terms of business and reputation, less sudden shocks by being able to detect change at an earlier time and the safeguarding of its assets and resources.
You are the risk manager in a project team looking to expand passenger capacity, flights and infrastructure at a major airport. Identify and explain: II. Five likely, emerging risks to the airport over the next five years.
Brexit reduces demand for short haul air travel, especially to and from Europe, resulting in lower profitability and ewer passenger numbers than planned. May increase demand for long haul destinations. Economic downturn, increase in cost of air travel or additional flight taxes leading to reduced business and holidaymaker demand for air travel, impacting profits Enhanced Information Communication Technology substantially improves virtual conferencing, resulting in less business travellers using the airport and a reduction in profits. Threat of or actual terrorist incidents increase on planes and large public facilities, such as airports, resulting in loss of life, fear of travel, additional security requirements, passenger delays and reduced desire for air travel. Critical cyber security breach or significant airport ICT failure results in unplanned system downtime and inability for aircraft to arrive/depart resulting in passenger upset, negative media reporting, additional costs and reputational damage. There are many other valid current and emerging risks.
List two key areas that relate to the future development of the practice of Enterprise Risk Management.
"Future developments in the practice of ERM are likely to be focused on two key areas: 1. Firstly, ensuring risk management activities are fully embedded in the business processes of the organization 2. Secondly, demonstrating measurable financial benefits associated with the implementation of an enterprise risk management initiative."
Following your review, the charity has decided to adopt a single 'modest' level risk appetite statement for the whole of the organisation. Produce a suitable 'modest' level risk appetite statement for this charity.
A modest risk appetite is one which is on the low, or risk averse side, without being too low. So for example, adapting Hopkin: The charity is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory non-compliance, potential risk of injury to staff and beneficiaries
Explain the error(s) in the following statement about types of risk: "There are certain risks that can result in both positive and negative outcomes. These risks are called "pure risks".
Hazard or pure risks have only a downside; i.e. negative outcomes. (ii) risks that have both +ve and -ve outcomes could be defined as control risks (or uncertainty risks).
Provide two definitions of risk and state your sources.
ISO31000: Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence. Orange Book from HM Treasury - Uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of potential events. Institute of Internal Auditors - The uncertainty of an event occurring that could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and likelihood. Hopkin - An event with the ability to impact (inhibit, enhance or cause doubt about) the mission, strategy, projects, routine operations, objectives
Using your chosen organisation as an example, explain to the delegate the value of understanding and applying the 'Attachment of Risks' concept over and above the standard definition of risk.
The standard definition of risk focuses on its impact on objectives, which in some cases can be either too high level or two vague for the impact to have much meaning. Therefore the attachment of risks takes the idea much further as indicated in Hopkin's definition of risk. In an illustration of the options for the attachment of risks-Risks are shown in the diagram as being capable of impacting the key dependencies that deliver the core processes of the organization. Corporate objectives and stakeholder expectations help define the core processes of the organization. These core processes are key components of the business model and can relate to operations, projects and corporate strategy. The intention is to demonstrate that significant risks can be attached to features of the organization other than corporate objectives. Significant risks can be identified by considering the key dependencies of the organization, the corporate objectives and/or the stakeholder expectations. The organization I chose is an international bank located in London An example of an attachment of risk to a stakeholder expectation could be a compliance risk that results in a fine, such as allowing staff to misleadingly sell unnecessary, or useless financial products to clients; this shows a failure to achieve regulator expectations (compliance with a certain law or regulation) and shareholder expectations (maximising their wealth). Attachment also deals with an analysis of the effects of a risk on the core processes of the organization; such as a failure in the production process of the most valuable good/service that is provided by the business. An example would be the infiltration of the banking IT system, which prevents customers receiving credits to their accounts and thus closes down the banking system. The process is 'core' because it delivers significant value to the business that can ultimately impact on stakeholders' expectations or objectives. A risk can impact on a key dependency, in other words something that the business critically depends upon. For example, the failure of Northern Rock occurred because the wholesale money markets, on which the bank depended, stopped functioning - this was a key dependency for this particular bank's trading model. This key dependency can then affect a core process and impact further on stakeholder expectations and objectives. Ultimately this impact chain can finally have effects on the business's mission and the strategic business plan, since a failure in the bank's IT operating process, will make customers unhappy, if customers are unhappy, the bank will lose its good reputation, customers will move elsewhere, shareholder value will be eroded and if the business loses its reputation. This increase in costs or decline in income will, in turn, damage its strategic purpose and ultimately threaten its viability because it will simply be unable to deliver profits or raise finance, thus killing the mission. This idea of impact linkages simply reflects the right hand side of a bow-tie diagram. It is clearly the case that risks are greater in circumstances of change. Therefore, linking risks to objectives is not unreasonable, but the analysis of each objective in turn may not lead to robust risk recognition/identification. In any case, business objectives are usually stated at too high a level for the successful attachment of risks.
Describe three risks on your register relating to the implementation of the RMIS.
i) that the actual implementation will cost more than is budgeted; for example, the hardware costs and configuration could turn out to be higher than expected (ii) that it will go over time and not be operational on the required date (iii) the outsourced supplier may go bust during the implementation; thus causing major time or cost problems. Other outsourcing issues might also be relevant (iv) that quality issues may result...the system may not work in the way it's hoped. In short the system itself might not deliver the functionality expected or be too complex for the needs of the business, all of which could be a major embarrassment for the board. A RMIS will not prevent risks; it might be that there are more effective ways of improving risk management in the business. In particular, the implementing organization may not understand (or not invest in understanding) the needs of the business and may therefore set up the system infrastructure sub-optimally. Candidates could consider this to be a post-implementation risk and therefore be more applicable to Q17 (v) There are the further risks of hidden implementation costs such as initial training (note this would also be acceptable to be included as answer to Q17).
Compare and contrast the range of stakeholders and their expectations in a local/provincial government organisation with that of a private sector industry of your choice.
in the government sector: • Users expect a good quality public service around a range of services - council houses, street lighting & maintenance, schools, leisure facilities, libraries etc. They also expect safe streets and a sustainable approach to managing the region. The problem is that the variety of users is almost unlimited (unlike for a sports club) so user satisfaction amongst all users is almost impossible to achieve. Sports club users are probably more correctly described as 'customers'. • Taxpayers & the government look for quality financial management & reporting (including the avoidance of fraud), minimal increases in local taxes, the minimisation of tax demands and tax assessment decisions, avoidance of waste and efficient/effective general admin and the use of their money to pay for things they disagree with, plus good governance and equity including good risk & reputation management. One complication is that often the taxpayer can also be the user, so there might be conflicts in what the stakeholder expects - minimal tax and maximum service. In the sports club, we could regard the comparable stakeholder as the investor, who might, in a private sector require a decent return on their investment. In many ways this includes cost minimization but could also include the maximization of income - less relevant for the public sector, which tends to focus more on value for monies spent in the form of non- financial returns, such as social benefit. • Program partners look for a reliable partner, appropriate and timely funding as agreed and clarity of roles and partner requirements/expectations, while in the sports club, there might be some partnership arrangements, perhaps in the form of outsourcing arrangements and the expectations might then be similar • Staff look for reliability of employment, wages and terms and conditions and this could be applied both in the sports club and the local government. Suppliers look for fair/equitable prices and conditions of contract along with the prompt payment of bills; this again is likely to be similar in both organizations
Explain what is meant by the 'risk architecture' of an organisation and contrast the risk architecture with the 'risk protocols'.
to define the subject of risk architecture, as well as explain its purpose. This is straightforward theory content and Hopkin devotes the whole of chapter 7 to it. To contrast architecture with protocols requires the candidate then to describe what protocols are and explain the purpose, noting that the two are completely different concepts, but both are part of the wider subject of the risk management framework. To illustrate; the risk management structure of the club can be described as the risk architecture. The risk architecture sets out lines of communication for reporting on risk management issues and events. It is vital that the risk architecture reinforces the fact that the responsibility for managing risks remains with the owner of that risk. In a nutshell it describes who does what in relation to risk management and how the risk reporting structure works.
Explain to the Chief Executive Officer four ways in which the implementation of ERM could provide good value for money for this particular company
use application of theory to the organisation concerned. In the short term, if the company spends money on developing its risk maturity it will have less money for business development at the very time when its recent sales performance is already under threat. For that reason the ERM framework must show that it will pay for itself within a certain period of time including the development of project plans, budgets and timescales. The main focus of the answer however is where candidates explain some of the advantages that can come to the company from developing the framework e.g. MADE3) but there needs to be an application of how the theoretical benefits from the reading materials could indeed benefit the organisation concerned. Candidates could bring about benefits such as the increased likelihood of achievement of objectives, fewer surprises, faster risk identification, fewer crises for the CEO ... thus freeing up his time, better reputation as a result of being able to demonstrate good risk management and assurance to stakeholders, easier and cheaper sources of finance, happier workforce focusing on meeting customer needs. The critical thing is to show that the benefits will exceed the costs and barriers for this business.
Summarise three benefits to this company of having risk information on a RMIS.
• Data is accurately and fully recorded in a way that can be analysed to identify causes of risks and thereby identify opportunities to reduce those risks. For example, the loss of precious metals extracted and processed will identify weaknesses in the existing procedures. • There will be a single source of risk data that can be amended only by authorised people, so that the accuracy of the risk information can be ensured. This accurate and validated information will then be available for undertaking risk assessments and risk treatments. For example, information on the causes of accidents and injuries related to extraction or processing ores will inform the health and safety risk assessments. • With such a wide range of operations taking place in many countries, a consistent methodology of recording, managing risks and reporting on risks more likely with a single system. This will support an enterprise approach to RM, thus increasing the chance of all the benefits associated with ERM being realized in a widely dispersed company with different languages, cultures and risks • The person responsible for coordinating risk management activity across the organization will have access to more reliable and consistent data in order to make better informed RM decisions, especially in relation to disaster recovery. There is the potential for significant disruption to the mining and processing activities caused by machinery breakdown. The RMIS can be used to record information that will assist in minimising the disruption caused by mechanical failure.
Explain the main risk management roles of each of the following groups: The CEO
• - determine strategic approach to risk • - establish the structure for risk management • - understand the most significant risks • - consider the risk implications of poor decisions
Explain the main risk management roles of each of the following groups: Individual employees
• - understand, accept and implement risk management processes • - report unnecessary, inefficient or unworkable controls • - report loss events and near miss incidents • - cooperate with management on incident investigations - ensure that visitors and contractors comply with procedures
Define the terms 'risk appetite', 'risk tolerance' and 'risk universe' from the IRM's Risk Appetite Guidance and explain how each are related.
• All the risks that the charity might face (the "risk universe"- Diagram 3) • those that, if push comes to shove, the charity might just be able to put up with (the "risk tolerance" - Diagram 4) and • those risks that the charity actively wishes to engage with (the "risk appetite" - Diagram 5). • Thus risk tolerance is part of the wider universe of risk and risk appetite is part of the risk tolerance (also known in Hopkin as risk capacity). So they all cover the same bank of risks, but successively a lesser portion
Explain three benefits to the charity in deciding to classify the above risks.
• In CIMA reading page 5 it explains that in Tesco "Financial risks are treated separately by the treasury function. Tesco Personal Finance has risks that have to be managed differently." • On p6 RBS had "Six main categories of risk were clearly defined and evaluated: credit risks (including country and political risks); funding and liquidity; market risk; insurance risk; operational risks (fraud, human error, and external events); regulatory risks; and 'other' (primarily reputation and pension fund risks). At the divisional level, local CEOs were personally accountable for risk management. Divisional chief risk officers (CROs) also reported to the group CRO (and the divisional risk officers for each category of risk into that category's group head of risk) to ensure a consistency of approach." This shows the reason of allocating responsibility for risk management as one reason and bundling together of risk treatment as another reason. • In p7 of CIMA BCC shows that risk classification provides the tool for an easier and comprehensive risk identification process: "Firstly, risk and opportunity identification. Internal audit prompts decision makers to consider a number of different areas in any service area, including environmental, legal, political, financial, social, reputational, managerial, physical and technological risks. The results are codified into a risk register." • On p8 of CIMA, it shows that risk classification is useful as a means of collating reports in a presentable format - by category. "Birmingham places a lot of emphasis on strong systems. It uses the Magique risk management software that supports training; real time updates to the risk registers; an events log; and scope for communication of risk information across directorates. It drives the collation and analysis of information relevant to risk at every level in the council." • Of course from the nature of this question; if you don't categorise risks then you would not be able to derive separate Risk Appetites. • The CIMA report p8 underlines the value when you are in an integrated supply chain or are involved in a partnership network; it is good to get a consistent approach to risk management by using categories among your partnership "(DCMS) has a broad spread of activities - including lead policy responsibility for 54 public sector bodies that fall outside its departmental accounting boundary. So its risk challenges are complex, yet typical of a central government department."
Define what the acronym 'PACED' stands for in respect of Enterprise Risk Management (ERM)
• Proportionate • Aligned • Comprehensive • Embedded Dynamic
Describe four aspects of an organisation's internal context.
• The culture of the organisation • The available resources • Objectives and strategy • Core processes • Decision making • Risk management governance
Explain the main risk management roles of each of the following groups: The manufacturing plant managers
• build a risk aware culture in the plant • - agree risk management targets for the location • - evaluate reports from employees on risk management matters • - identify and report changed circumstances/risks • - ensure implementation of risk improvement recommendations
Explain the main risk management roles of each of the following groups: You, as the risk manager
• develop the risk management policy and keep it up to date • - facilitate a risk aware culture within the organisation • - establish internal risk policies and structures • - coordinate the risk management activities • - compile risk information and prepare reports for the board and/or risk committee
Identify one potential benefit from having a shared risk vocabulary across an organisation
•Aids consistency of application across an organisation •Encourages a common understanding across all staff Enables single, agreed definitions of key aspects of the risk framework
Explain three positive stances that the senior executive team can adopt to ensure that the charity's risk culture is not left to chance.
•Good communication of the organisation's expectations of all staff - this could be through policies, presentations, staff newsletters, induction processes, written documents, posters and job descriptions. Also, when staff are involved in the risk identification process this achieves greater buy in. •Training programmes that instil the right practices and knowledge. •Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employee
Describe four ways in which the senior executive team could measure the charity's risk culture.
•Use of questionnaires and checklists or employee survey data •Comparing the charity's values to actual behaviours •Individual behavioural evaluations of the charity's leaders or senior management •Consideration of risk awareness amongst key personnel •Comparison of materialised risks to key charity risks
List four emerging risks, which are not within the control of an individual organisation.
●● climate change; ●● sovereign debt; ●● national security; ●● changing demographics." The Study Guide p82 says that global shocks which affect the whole society 'may be seen as being beyond the control of individual organization' and refers us to the WEF for examples. So examples from WEF would be acceptable, if they are justified as being outside an organization's control. WEF page 3-4's presentation shows most of the risks are outside an organization's control made even harder to control because many are interconnected. In the CIMA report p9, DCMS identified a range of emerging risks not under the organization's control, such as (PESTLE) 1.1 Political - Change of government or cross cutting policy decisions 1.2 Economic - Global economic conditions 1.3 Socio-cultural - -Demographic change 1.4 Technological - Systems obsolescence; procurement costs 1.5 Legal - EU legislation/directives 1.6 Environmental - Changes in attitudes to the environment from government, media and consumers
Describe what is meant by the term 'corporate governance'
Definition - there are many possible definitions of corporate governance (CG) to select from. Cadbury (1992) defined CG as 'the system by which companies are directed and controlled'. The OECD (2004) define CG "as one key element in improving economic efficiency and growth as well as enhancing investor confidence. Corporate governance involves a set of relationships between a company's management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring". CG is about establishing a vision and managing delivery, risks and progress to the realisation of this vision.
Explain the role of internal audit in respect of the company's risk management, control and governance processes.
Definition/Introduction - Internal audit's mission is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. The IIA definition of internal auditing is: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes". The profession of internal audit is fundamentally concerned with evaluating an organisation's management of risk. To evaluate how well risks are being managed the internal auditor will assess the quality of risk management processes, systems of internal control and corporate governance processes, across all parts of an organisation and report this directly and independently to the most senior level of executive management and to the board's audit committee. An internal auditor's knowledge of the management of risk also enables him or her to act as a consultant providing advice and acting as a catalyst for improvement in an organisation's practices. So, for example if a line manager is concerned about a particular area of responsibility, working with the internal auditor could help to identify improvements. Or perhaps a major new project is being undertaken - the internal auditor can help to ensure that project risks are clearly identified and assessed with action taken to manage them. Internal audit's role in evaluating the management of risk is wide ranging because everyone from the mailroom to the boardroom is involved in internal control. The internal auditor's work includes assessing the tone and risk management culture of the organisation at one level through to evaluating and reporting on the effectiveness of the implementation of management policies at another. Achieving objectives and managing valuable organisational resources requires systems, processes and people. Internal auditors work closely with line managers to review operations then report their findings. The internal auditor must be well versed in the strategic objectives of their organisation and the sector in which it operates in, so that they have a clear understanding of how the operations of any given part of the organisation fit into the bigger picture. Internal auditors can work constructively with other assurance providers to make sure the board's audit committee receives all the assurance they need to form an opinion about how well the organisation is managing its risks. It also means that the available assurance resources are optimised by avoiding duplication and gaps in the provision of assurance
Discuss how the two organisations' differing visions may influence their respective attitudes to risk.
Definition/introduction - Different organisations have different attitudes to risk. Some organisations, often (but not always!) in the public or third sector will tend to be more risk averse than their more risk hungry or aggressive counterparts in the private sector (but not always!) To some extent, the attitude of the two organisations to risk will partly depend on their sector, as well as the attitude of individual board or senior management members. In respect of the city council, its vision may influence its attitude to risk by: • Reducing the amount of negative risk to the community's quality of life that it is willing to take. • Looking to seize or take opportunities that will increase the community's quality of life. • Reducing the amount of negative financial or reputation risk it is willing to take given that it is 'public' money raised by council tax or from central government etc. • Reducing the amount of negative health, safety and wellbeing risks it is willing to take on council owned properties and facilities etc. In respect of the manufacturing company, its vision may influence its attitude to risk by: • Looking to seize or take opportunities that will increase its sales volumes. • Looking to seize or take opportunities that will reduce costs and increase productivity. • Reducing the amount of negative consumer or reputation risk it is willing to take given that it is desires to expand and dominate its sector. • Reducing the amount of negative quality risk it is willing to take as returns cost money, impact efficiency and damage reputation. • Conclusion - highlighting the differences and possibly similarities - both organisations will care about reputation and will not wish to upset key stakeholders.
Describe 'reputation risk', with reference to its main components. Explain the importance of reputation risk within a public sector organisation such as a local government
Describe: The description of reputation risk is obtained from Chapter 35. p382 indicates that reputation is the most valuable asset of the organisation and Table 35.2 p383 describes four (CASE) components of reputation: capabilities, activities (including finances), services and standard and ethics/integrity. Therefore reputation risk is all about events that might risk damaging or reducing the value of the organisation's reputation asset and risks in the four areas will be paramount. Most often in the private sector the consequence of reputation risk will be poorer financial performance over the short or long term. In the case of the public sector, it might be reflected in the removal of senior officers or officials and/or a change in leadership through elections. Chapter 35 also shows that reputation risk derives from good governance, especially in the area of corporate social responsibility. Table 35.1 in particular explains how successful CSR can be a key to organisational reputation, while bad CSR can very easily destroy reputation. In summary then, reputation risk has both an upside and a downside; events can occur with the opportunity to improve reputation as well as damage it and the response to each of these events is likely to be different. Explain: Answers here should provide both causes and consequences of reputation risk to local government or a similar PS organization and the use of a bow tie could be quite an appropriate way of presenting the answer. Chapter 25 p282-285 indicates some of the key Governance expectations in the government sector, which, if they are not achieved, could be seen as a range of causes to reputation damage. These include value for money (and work in this area is undertaken by the audit commission and other oversight bodies with legal authority from central government) along with the behaviour of officials and council officers and in particular the ethical behaviour - see the Nolan Committee (Table 25.2) and also a failure to effectively deliver core services as required by the central government or as agreed in local manifestos. This is further sub-divided into a failure in a framework of control which supports accountability, integrity, transparency, good management and innovation. In particular in recent times the failure to protect the confidentiality of citizens' personal details through cyber security has been a great cause of reputation damage. In short though, any adverse event which causes damage to any stakeholder interest, as mentioned in part (a) including a failure to manage the problems that come from competing stakeholder expectations (see study guide p52), has the potential to damage the government organisation's reputation if it is ignored or not managed effectively. On the other hand, events in the government sectors, such as how an organisation has responded to crises and leading the way in a positive ethical approach to delivery of services as well as consideration of the needs of the most vulnerable in society can be seen as a route to enhancing local government reputation. In these financially challenged times, the delivery of manifesto promises themselves can be seen as a positive contributor to reputation. The consequences to good/bad reputation events include the loss/gains in perception by the voting public on local political parties in local democracy (elections) and the possibility of direct or imposed rule from central government It can also affect the future willingness of external parties to work with the local government as well as a reduction of long term inward investment to the local region.
Describe the 'IRM Risk Culture Aspects Model' and explain how it could prove useful to indicate the health of the business's risk culture and assist in pin-pointing areas for improvement.
Diagnosis can be by means of a simple questionnaire or structured interview techniques. A gap analysis provides pointers to areas of strength and weakness and hence allows prioritisation and focus to be brought to what can be a difficult set of issues to grasp. The focus is on identifying tangible actions that be taken to address areas of concern, drawing from a tool kit. The model presupposes a continuous improvement approach where a risk culture is moved incrementally and performance tracked over time. It is important to recognise where positive culture cycles need to be reinforced, and vicious cycles broken, to make a step-change improvement. This approach, set out diagrammatically below in Figure 4, requires the organisation to self- assess in the areas of: Tone at the top • risk leadership - clarity of direction • how the organisation responds to bad news Governance • the clarity of accountability for managing risk • the transparency and timeliness of risk information Competency • the status, resources and empowerment of the risk function • risk skills - the embedding of risk management skills across the organisation Decision making • well informed risk decisions • appropriate risk taking rewarded and performance management linked to risk taking. The risk culture aspects model links with the sociability (social/soft/people aspects) vs. solidarity (harder aspects, such as tasks and goals) analysis through planned action to address deficiencies in the current culture. The interventions required may relate to driving an increase in the levels of sociability and/or solidarity and pushing the organisation into a position more conducive to effective risk management. The risk culture aspects model specifically links the aspects shown in red in the diagram to greater impact on sociability and the blue aspects to improvements in solidarity.
You are responsible for risk management in an organisation of your choice. Prepare a memo to the Chief Executive Officer. Within the memo: b) Discuss the advantages and disadvantages of the PESTEL classification system and explain its six categories.
Discuss: To start with, discuss PESTEL, by explaining what it is and, in particular, what its purpose is- PESTEL analysis is a means of enabling a business to identify and analyse risks in the external context; in other words in that area of the business that lies outside its legal boundary. Advantages and disadvantages; it is great for identifying risks in the external context, but not so great for identifying risks in the internal context - another model is best for that (candidates could name one such model). We can also say that is certainly the most popular model for external context risk identification, which makes its use transferable and more easily understandable. We can also see that the model stops at identification; in other words, there is much more that we need to know about risks than simply identifying them. Explain: in essence we are asking the candidates to explain what we mean by political risk and how can it affect an organisation. The best candidates will provide one or two examples of the six PESTEL sources of risk: political, economic, social, technological, ethical or environmental and legal.
Give an example of an organisational function you would expect to find in each line of the 3 Lines of Defence Model
First line - Risk and control owners or management. Second Line - Risk management committee, risk management function, compliance, health and safety, business continuity etc. Third line - Internal audit, providing independent and objective assurance on governance, risk management and control.
In an organisation of your choice and using appropriate theory, describe four purposes of internal control and describe one example of a 'detective control'.
Firstly give defintion of internal control. However, the primary purpose of internal control activities is to help the organization achieve its objectives Typically, internal controls have the following subsidiary purposes: ● safeguard and protect the assets of the organization; ● ensure the keeping of accurate records; ● promote operational effectiveness and efficiency; ● adhere to policies and procedures, including control procedures; ● enhance reliability of internal and external reporting; ● ensure compliance with laws and regulations; ● safeguard the interests of shareholders/stakeholders. ● effectiveness and efficiency of operations; ● reliability of internal and external reporting; ● compliance with applicable laws and regulations and internal policies
Propose four key actions the senior executive team could undertake to ensure that the risk management framework is implemented effectively across the charity
Four key actions include: • Endorse a clear risk policy - the high level statement of the organisation's philosophy on risk and the foundation of the organisation's risk strategy • Agree an appropriate terms of reference for any risk committee and any individual responsible for championing risk management. • Ensure training is undertaken, is effective and is followed up in the workplace to reinforce what is learnt. • Champion risk management through action, deed and clear tone at the top messaging. • Establish professional key risk indicators and a risk dashboard for reporting and monitoring purposes • Review issues and events logs to record and learn from actual events and near misses
You are the risk manager in a project team looking to expand passenger capacity, flights and infrastructure at a major airport. Identify and explain: I. Four likely, current risks to the expansion project.
Four likely, current risks to the expansion project include: Political - national or local political pressure against the airport expansion causes additional obstruction, delay, demonstrations and resistance. Legal - challenges from local residents, interest groups or other bodies may result in lengthy and expensive court action, delaying expansion plans and resulting in additional costs and (negative) publicity. Complexity - the scale of interdependencies and complexity threatens current operations while the expansion occurs, resulting in flight delays, reduced customer experience and reputational damage. Financial - changing exchange rates, poor budget control or estimation results in additional costs and a failure to remain within budget.
Describe what is meant by the 'control environment'.
HOPKIN: The control environment, which the COSO ERM framework labels as the 'internal environment', is a measure of the control and risk culture within the organization. The view taken by the CoCo framework is that if the control environment is satisfactory, risk management and internal control activities will be successfully and appropriately undertaken. Hopkin describes it as the: "Attitude, awareness and culture of the organization regarding risk management and/or internal control, referred to in the COSO (ERM) as the 'internal environment'". STUDY GUIDE: COSO's Internal Control - Integrated Framework, published in 1992 in the US and updated in 2013 describes the control environment as the set of standards, processes and structures that provide the basis for carrying out internal control across the organisation (COSO, 2013
Complete the following sentence by entering the four missing words: ____________ risks _______ objectives, and the level of _____ of such risks is a measure of their __________.
Hazard risks undermine objectives, and the level of impact of such risks is a measure of their significance.
Describe the scope of issues covered by CSR.
Health and Safety Commitment to a programme of activities to achieve continuous improvement in health and safety performance. Employees Aim to deliver a competitive and fair employment environment and the opportunity to develop and advance - subject to personal performance. Customers Strive to provide high-quality service and products and good value for money in all dealings with customers. Environment Reduce impact on the environment, including factors contributing to climate change, through a commitment of continual improvement. Suppliers Working with suppliers to ensure that worker welfare/labour conditions and environmental practices meet recognised standards. Community Aim to be a responsible corporate citizen through support for appropriate non- political and non-sectarian projects, organizations and charities. Products/services Designed not to unintentionally or by design cause death, injury, ill-health or social disruption, hardship or detriment.
Propose three benefits of producing a risk appetite statement for this charity.
Hopkin explains some of the benefits of risk appetite statements, which include • facilitating consistent risk based decisions at all levels of the organization, • facilitating decisions in the organization on whether to treat or tolerate a risk, • providing an indication of how much investment would be needed in RM (more risk averse → more RM resource). • External risk assurance: communication to stakeholders on the level of risk adversity in the organization is likely to result in clearer knowledge to stakeholders in the risks they take when engaging with the business. Overall then, there is the greater likelihood that all parts of the business will pull together, in the same way to achieve objectives and that could be very relevant for a charity so widely dispersed around the world, where different situations and people might have significantly different attitudes to risks and perceptions of risk.
Describe the characteristics of embedded risk management. Explain why good leadership would be an important requirement for such a project.
Hopkin p111-112 describes embedding as when RM processes become embedded in the daily routines and management of the institution; where RM is practice by everyone, throughout the organisation and where all risks have a risk owner. Without the lead from the top, embedding will not be taken seriously and of course the resource commitment to embed will not become available.
Explain why Control Risk Self Assessment might be a very useful activity for the retailer once risk management has been fully embedded.
Hopkin p351-353 CRSA is seen as the first line of defence for providing assurance to supervisory layers of management, the Board and audit committee on the management of risks in a business, in which lower level business managers provide accountability on their management of the risks they own. So it follows that embedding risk management to risk owners will only work if the risk owners are subsequently made to account for the way they've managed their delegated risks, and this accountability can be done in the way that CRSA envisages.
Define the term 'emerging risks'.
Hopkin says "All organizations are concerned about changes in the external and internal context that give rise to new challenges, uncertainties and opportunities. These changes can be considered to be the emerging risks facing the organization." Study Guide says "Emerging risks is the name given to new threats to an organization, whether the threat is currently unknown or is known but not regarded as relevant to the organization", to which we should also add the word 'opportunity' reflecting that risks can be both +ve and -ve
Define the control environment.
Hopkin says "The phrase 'control environment' is preferred by internal auditors. ISO 31000 refers to the 'risk management context'. COSO refers to the 'internal environment'. In all cases, the intention is to refer to the level of maturity of the organization with regard to internal control activities." On p339 he adds "The view taken by the CoCo framework is that if the control environment is satisfactory, risk management and internal control activities will be successfully and appropriately undertaken". On p402 he concludes that the Control Environment is "Attitude, awareness and culture of the organization regarding risk management and/or internal control, referred to in the COSO (ERM) as the 'internal environment'" The Study Guide on p63 says "COSO's Internal Control - Integrated Framework, published in 1992 in the US and updated in 2013 describes the control environment as the set of standards, processes and structures that provide the basis for carrying out internal control across the organisation (COSO, 2013)." And further on p64: "But what do we mean by "control environment"? It can be viewed as the whole range and interaction of controls that address risks."
The board of an organisation require assurance that the risk strategy and risk management is operating effectively across the organisation. Describe the role that each of the following play in providing risk assurance to the board: I. The audit committee
II. The audit committee - evaluates the governance standards within the organisation, ensures that risk management received appropriate attention and seeks assurance that management comply with the risk management process and framework in practice. May summon managers to give account of themselves. May raise concerns to the main board.
Define a supply chain and list two stakeholders involved in the supply chain.
ISO 28000:2007 'Specification for security management systems for the supply chain' provides the following definition of supply chain: A supply chain is a set of interconnected processes and resources that starts with the sourcing of raw materials and ends with the delivery of products and services to end users. Supply chains may include producers, suppliers, manufacturers, distributors, wholesalers, vendors, and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal or external to an organization.
Why maintaining an awareness of risk events that occur in the wider world is a vital role of the risk manager
It is instructive to look at the root cause of an event, the circumstances by which the event developed and expanded, the organisation's response to the event and the ultimate financial and other effects. The purpose of this research and analysis is to learn the lessons from the event or circumstances so that your own organisation may be better prepared in terms of an effective control environment and event response
Describe four barriers that can occur when an organization seeks to implement enterprise risk management. State one action to overcome each barrier that you identify
Lack of understanding of RM and belief that it will suppress entrepreneurship=establish a shared understanding, common expectation and consistent language of risk across the organization Lack of support and communication from senior management=identfiy a sponsor on the main board of the organization and confirm shared and common priorities Seen as just another initiative so relevance + importance not accepted= agree a strategy that sets out anticipated outcomes and confirms the benchmarks for anticipated benefits Benefits not perceived as being significant=complete a realistic analysis of what can be achieved and the impact on the mission of organization
Summarise five key components of a risk aware culture and state how each can help to improve the risk culture of an organisation
Leadership Involvement Learning Accountability Communication
Summarise five main principles of corporate governance
Leadership - Every company should be headed by an effective board which is collectively responsible for the long-term success of the company. Effectiveness - The board and its committees should have the appropriate balance of skills, experience, independence and knowledge of the company to enable them to discharge their respective duties and responsibilities effectively. Accountability - The board should present a fair, balanced and understandable assessment of the company's position and prospects. The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems. Remuneration - Levels of remuneration should be sufficient to attract, retain and motivate directors of the quality required to run the company successfully, but a company should avoid paying more than is necessary for this purpose. Relations with shareholders - There should be a dialogue with shareholders based on the mutual understanding of objectives. The board as a whole has responsibility for ensuring that a satisfactory dialogue with shareholders takes place.
You are responsible for risk management in an organisation of your choice. Prepare a memo to the Chief Executive Officer. Within the memo: c) Describe a significant risk from any four PESTEL categories for your own organisation and discuss the suitability of a 'key risk indicator' that could be used in each case as a test of significance.
Legal: Change in the emissions law affecting our fleet of vehicles resulting in higher than expected compliance, operating and maintenance costs and thus damaging our competitiveness. The last review of this area of law occurred five years ago, so a new review is highly likely. The benchmark for this would be a financial measure, namely that the operating costs, as a result of the change could not exceed £1 million per year before it impacts on our market share. Economic: An inability to recruit staff due to our wage structure not keeping pace with expected economic growth and worker expectations during the next five years; a lack of staff in post will result in disruption to normal operations and damage our reputation, as well as invoking penalty clauses from our sponsors. Given the current growth of the local economy, this is a highly likely event. Our KRI would be based on the percentage of collections not undertaken on the allocated day. If more than 5% of collections in any month did not take place on the correct day this would be considered to be the measure of whether the risk was significant that month. Political: A change in the local government could result in a change in the rate of payment for our services and make our business non-viable in any region. This is reasonably likely over the next five years and the text of significance would be based on a 5% fall in unit payments, as this would remove our profit margin. Environmental: An escape of potentially lethal chemicals from our landfill could result in a disaster to our reputation and the government suspending our operations. Given the wide variety of stuff dumped, this is a highly likely event. Any incidents of contamination at any time is indicative as a significant incident.
Draft a professional questionnaire that could be used to help evaluate the effectives of the company's board.
Need an appropriately formatted questionnaire (title, columns for questions and responses, date, reference etc.) with relevant question to test board effectiveness. Areas to question: Membership and Structure Does the board have the necessary range of knowledge, skills and experience to discharge its duties appropriately? Are the board sub-committees effective, with appropriate delegated authority? Are board decision-making processes satisfactory, with adequate information available in a timely manner? Purpose and Intent Do all board members understand and share the vision and mission? Is there sufficient knowledge and understanding of the key risks? Have measurable budget and performance targets been put in place? Involvement and Accountability Does the board have shared ethical values, including openness and honesty? Are the established policies unambiguous and consistent with the ethics? Do board members understand their duties, responsibilities and obligations? Are adequate delegation and authorisation procedures in place? Monitoring and Review Does the board challenge planning assumptions when and where appropriate? Does the board demonstrate the ability to respond rapidly to change? Does the board assess financial and other controls and seek assurance on compliance? Performance and Impact Is there a satisfactory level of attendance at board, committee and other meetings? Are board decisions and actions fully recorded and actions tracked and confirmed? Are the agreed targets and performance indicators evaluated and assessed?
Describe what is meant by the term risk culture and identify its relevance to risk management for the charity's senior executive team.
Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation. It is a key component of effective risk management and may be reinforced in a virtuous cycle of positive actions and behaviours over time that match the organisation's desired risk culture. But there can of course be a cycle of dysfunctional behaviours and actions that are tolerated and create a vicious circle of damaging, negative risk culture
Correct the errors underlined in the following definition, taken from the IRM's risk culture guide: "Risk culture is a term describing the appetite, beliefs, practice and morality about risk shared by a group of people with conflicting objectives, in particular the employees of an organisation or of teams or groups within an organisation
Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation.'
Describe what is meant by the term 'risk protocols', giving two examples of what they may detail in practice
Risk protocols are the means by which the selected risk strategy and architecture are delivered in practice. Risk protocols may detail risk identification techniques, the format and content of the risk register, how risk and control ownership is allocated, reporting requirements, approval processes for risk expenditure etc
The senior executive team are keen to recruit a risk officer to help embed the risk management framework. Recommend five key technical and five soft skills that you think will be essential for the risk officer to help further embed the risk management framework at the charity.
Technical, including the ability to • Plan and develop the risk management strategy • Implement the next steps • Develop processes and build awareness • Measure risk management performance • Learn from risk management experience • Understanding of good practice risk management Non-technical, soft skills • Communicate clearly and professionally • Facilitation and presentation skills • Relationship and stakeholder management • Analytical and assessment skills • Management and leadership competence
Describe one advantage and one disadvantage of producing a range of risk appetite statements; one for each class of risk over a single organisation-wide risk appetite statement
The CIMA 2010 report RBS p5 implies that many businesses do this "The group board spelled out the overall risk appetite for both financial risk and qualitative risks, such as customer satisfaction. Meanwhile the IRM Risk Appetite Guide p8 says "Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time: the temporal aspect of risk appetite is a key attribute to this whole development." Also on page 8 it implies that different risk appetites might exist at strategic, tactical and op levels of risk. Thus simply from the nature of the organization, directors might be happier accepting some types of risk at a higher level than others and in the case of the charity; health and safety risks to personnel and beneficiaries could be the least acceptable - especially to external stakeholders, who might view a cavalier attitude to health and safety as being completely unacceptable. Hopkin p222 says that: "Logically, risk appetite statements should be structured to align with the risk classification system used in the organization." So for example, where there are risks (such as external risks) which the organization cannot control, by necessity the risk appetite is higher. The disadvantage of a multi category approach is one of confusion to the people who have to manage risk - a simple feel for the right level of residual risk to aim for across all categories is simply an easier thing to manage than multi-targets, especially if category boundaries are blurred. Another disadvantage is that of the target risk score. If we set a target risk of say 4 (being 2x2), then it does not really matter whether that target risk relates to one category or another - the organization is surely equally exposed to damage for all classes of risk if the target is 4
Draw a diagram of the Criteria of Control (CoCo) Framework explaining the meaning of the framework's components. Explain how the CoCo Framework can help improve the understanding of the control environment.
The Criteria of Control framework, otherwise known as CoCo, produced by the Canadian Institute of Chartered Accountants (CICA) is a structured means of measuring the quality of the control environment within an organization. The components: The rationale behind CoCo is explained in the framework as follows: A person performs a task guided by an understanding of its purpose and supported by capability. The person needs a sense of commitment to perform the task well. The person monitors his or her performance and the external environment to learn how to do the task better and any required changes. In any organization of people, the essence of control is the four components set out above. There are similarities between the CoCo approach and the LILAC measure of risk awareness or risk culture (or control environment) that has been mentioned previously. The LILAC approach suggests that risk management activities will be embedded when the risk culture displays leadership, involvement, learning, accountability and communication. Individual organizations should decide how they wish to measure the control environment/risk-aware culture within the organization. Whatever method is used to measure the risk culture, there is no doubt that it is critical to the successful implementation of risk management. When undertaking an evaluation of the control environment using the structure of CoCo, a company may (for example) discover that good scores were obtained for the purpose, commitment and capability of the organization. However, the score for the monitoring and learning component may not be good enough. This information will enable the company to identify that it needs to pay more attention to the areas The four components and how they can be used to understand the control environment (quote from p399) The first component of the CoCo framework is concerned with the establishment and communication of objectives, the significant internal and external risks faced by the organization and the policies designed to support achievement of the organization's objectives. Plans to assist with the achievement of objectives and the inclusion of measurable performance targets and indicators are also important aspects of the purpose component of CoCo. When establishing and analysing the purpose of the organization, CoCo makes it clear that the risks and opportunities facing the organization should be analysed in detail. The importance of risk assessment and organizational resilience is emphasized, together with the importance of recognizing the sources and origins of risk. The commitment component of CoCo is concerned with shared ethical values, including integrity. It is also concerned with human resource policies and practices and communication throughout the organization. Authority, responsibility and accountability are also included, together with the requirement to achieve an atmosphere of mutual trust. The capabilities component of CoCo is concerned with the fact that people should have the necessary knowledge and skills to support the organization's objectives, as well as its values. Sufficient relevant information should be identified and communicated, together with decisions and actions of different parts of the organization. Activity should be co-ordinated and designed as an integral part of the organization. The monitoring and learning component of the CoCo framework is concerned with external and internal environments and the fact that they should be monitored to obtain information. Performance should be monitored against targets and indicators and assumptions behind the objectives of the organization should be periodically challenged. The information needs and related information systems should be assessed when objectives change, and a procedure should be established and performed to ensure that appropriate change actions occur in these circumstances. Finally, management should periodically assess the effectiveness of the control environment in the organization and communicate results to appropriate stakeholders.
Within an organisation, describe three of the main risk management responsibilities of the following internal stakeholders: i. Group Risk Management Committee; ii. Audit Committee; iii. Health and Safety Committee iv. General Manager of each club.
The General Manager's role can be likened to that of a divisional or location manager as such a committee is not discussed in reading materials; but it could be inferred by the candidate who can synthesise the type of risks that a H&S committee is likely to oversee in an organisation such as this. This is a specialised area of risk; as such, clues about its role can be derived In all cases, it is not enough for the candidate to simply present the roles of each risk group, but they should describe them in terms of how they would fit in this organisation. So for example: in order to ensure effective risk management is achieved in the business, various committees will need to be established. Some of these committees will have statutory responsibilities and the overall range of committees established reflects the legal obligations placed on the club. Committees might well be located at head office, but possibly with delegated committees meeting at each club from time to time. The health and safety committee might be responsible for: Establishing health and safety priorities for the coming year, keeping abreast of changes in health and safety legal obligations for the organisation, coordinating the programme of safety audits and training, monitoring health and safety performance and accident rates. The individual sports centre general managers might be responsible for: the overall risk management of the relevant club, keeping up to date the club's risk register, preparing reports for the risk committee, building local risk aware culture with help from the risk manager.
Explain what is meant by the term 'safety culture' and discuss why this is critically important for many organisations.
The Health and Safety Executive in the UK defines safety culture as: 'The safety culture of an organisation is the product of individual and group values, attitudes, perceptions, competencies, and patterns of behaviour that determine the commitment to, and the style and proficiency of, an organisation's health and safety management. Organisations with a positive safety culture are characterised by communications founded on mutual trust, by shared perceptions of the importance of safety and by confidence in the efficacy of preventive measures.' Safety culture is critically important for many organisations because: • In many industries (such as airlines, manufacturing, mining and hotels) managing a safety culture is the main focus in the management of risk culture. • - Ensuring the safety and wellbeing of customers, staff, contractors and members of the public is key to organisational success • - Ensuring safe working practices depends very much on demonstration by the leadership team of positive support for safety activities and the education and training of all staff in best practice working behaviours. • - An effective safety culture helps reduce exposures to legal, reputational and financial risk. • - Enhances the organisation's reputation, and stakeholder trust and confidence
Explain the overriding purpose of corporate governance and justify why good risk management is essential in supporting it.
The UK Corporate Governance Code (September 2014), published by the Financial Reporting Council (FRC), defines corporate governance as "the system by which companies are directed and controlled". The code goes on to note: "The purpose of corporate governance is to facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of the company." (FRC, 2014: 1)" The clue to its role in risk management is the link between setting the direction - which means strategic direction accompanied by corporate objectives and the control and thus achievement of those objectives. The missing link is the effect of uncertainty on those objectives (risk), which needs to be controlled in order to achieve the objectives - thus the control aspect is just another way of saying that the objectives need to be risk managed.
Explain four steps that you would take to investigate quality risks in the supply chain.
The company is likely to import goods from a range of suppliers and a consistent level of quality will be required across all branded goods. For the consistency of quality within supplied goods to be investigated, the following steps will need to be taken: i. Investigate whether quality standards have been clearly established for the goods being investigated ii. Confirm that details of these quality standards have been received and understood by suppliers iii. Investigate the quality control systems and procedures in place in supplier organisations iv. Do physical investigations of a sample of goods to determine whether they are within quality parameters v. Independently audit and check the supplier and ensure that the suppliers own procurement systems are equally robust
State the first stage in the risk management process according to ISO 31000.
The first stage in the risk management process according to ISO 31000 is 'establish the context'.
List eight types of information that you might hold on the RMIS
The following types of information may be handled, stored, managed, distributed and communicated using a risk management information system (RMIS): 1. Risk management policy and protocols 2. Risk profile data, values and information 3. Emergency contact arrangements and contact details 4. Insurance values and cost of risk data 5. Insurance claims handling and management protocols 6. Historical loss/claims experience/information 7. Insurance policy coverage and other information 8. Risk management action plans (risk register) 9. Risk improvement plans and implementation 10. Business continuity plans and responsibilities 11. Disaster recovery plans and responsibilities 12. Corporate governance arrangements and report
Describe five main features of a 'risk aware' culture.
The model that Hopkin uses to reflect the features of a risk aware culture is derived from the abbreviation 'LILAC'; that is: leadership, involvement, learning, accountability and communication. Leadership - Strong leadership within the organisation in relation to strategy, projects and operations Involvement - Involvement of all stakeholders in all stages of the risk management process Learning - Emphasis on training in risk management procedures and learning from events Accountability - Absence of an automatic blame culture, but appropriate accountability for actions Communication - Communication and openness on all risk management issues and the lessons learnt . Other alternatives might also be acceptable, if they seem to cover the relevant subjects. Examples include CoCo/COSO Similar to the risk emphasis, is a culture emphasis, for example of the importance of a 'compliance culture' in financial services and patient experience or 'safety culture' in healthcare.
Discuss the role of an internal audit function. Explain how the work of the risk management function could be incorporated into the internal audit function whilst safeguarding the internal audit's methods of working
The profession of internal audit is fundamentally concerned with evaluating an organisation's management of risk. The key to an organisation's success is to manage those risks effectively - more effectively than competitors and as effectively as stakeholders demand. To evaluate how well risks are being managed the internal auditor will assess the quality of risk management processes, systems of internal control and corporate governance processes, across all parts of an organisation and report this directly and independently to the most senior level of management. The document then goes on to examine the role in more detail. The paper IIA (2013a) The IIA document: Three Lines of Defence in Effective Risk Management and Control talks about the role of IA as the third line of defence
The board of an organisation require assurance that the risk strategy and risk management is operating effectively across the organisation. Describe the role that each of the following play in providing risk assurance to the board: I. The risk management team
The risk management team - will facilitate the risk management framework and processes, (potentially) coordinating, enhancing and challenging managements' risk assurances. May provide a more objective view to the board of the true state of play than management. May analyses and assess risk themes and produce highlight or status reports across the whole organisation for the board.
1. Prepare a report for the Chief Executive in which you: b) Describe the levels of risk maturity and justify the maturity level you think presently best fits this business
There are a range of levels of risk maturity that can prevail within an organisation from a range of different sources. level 1: Naïve - Level 1 organizations are unaware of the need for the management of risk or do not recognize the value of structured approaches to dealing with uncertainty. Management processes are repetitive or reactive, with insufficient attempt to learn from the past or to prepare for future threats or uncertainties. level 2: Novice - Level 2 organizations are aware of the potential benefits of managing risk, but have not implemented risk processes effectively and are not gaining the full benefits. The organization is either experimenting with the application of risk management or is operating a risk management process that has fundamental weaknesses. level 3: Normalized - Level 3 organizations have built the management of risk into routine business processes and implement risk management throughout the organization. Generic risk management processes are formalized and the benefits are understood at all levels of the organization, although they may not be consistently achieved. level 4: Natural - Level 4 organizations have a risk-aware culture with a proactive approach to risk management in all activities. As a result, the consideration of risk is inherent to routine processes. Risk information is actively used and communicated to improve processes and gain competitive advantage. There is evidence that our organisation has a very low level of maturity. This is evidenced by its repeated exposure to risk crystallisations, a lack of engagement with stakeholders (especially customers and staff), a blame culture and a lack of knowledge throughout the enterprise on key objectives and therefore key risks. I have used the LILAC risk culture card to assess our organisation's maturity. Therefore I would take the view that our risk maturity is presently novice. I have come up with that scoring on the basis that the CEO is aware of the risks the business faces, but as yet, has been unable to effectively manage them
You are the risk manager in a company that arranges the manufacture of high quality personal accessories, such as handbags, shoes, belts and high value clothes. It then sells them in its top brand retail shops around the world. Identify and justify four of your main concerns about the risks in your supply chain.
There are a wide range of risks associated with the supply chain, including the following: i. Costs may escalate and this could be related to events outside the scope of influence of the supplier or customer, such as changes in interest rates or exchange rates. Costs will include raw materials, labour and transportation costs ii. There may be unethical behaviour on the part of suppliers that will reflect badly on the manufacturer of these high branded goods. Unethical behaviour will include issues related to poor rates or pay and working conditions, especially of materials are sourced from developing countries iii.The quality of the manufactured goods may be poor and it may be difficult to return these defective goods to the distant manufacturer in a timely and cost-effective manner. Quality issues will include goods not being manufactured from the materials described and poor workmanship iv. A supplier may go bankrupt because of the influences in the local economic environment that are outside the control of our company, this could have a really serious effect, if the supplier is a sole supplier of an important component to a branded good v. Political changes may occur that increase taxes or employment conditions, including pay rates and these could have an adverse effect of our company's competitiveness.
Identify four relevant KPIs that the city council could employ to assess important aspects of its performance and for each KPI, describe a risk that could affect achievement of success.
There are many potential relevant KPIs for the city council, but examples include: % of residents that are satisfied with council services % of voter turnout at local elections Change in value of commercial property Tons of community-recycled waste Full-Time Employees per capita % of council tax billed that is collected Workforce diversity at the council Recreation centre attendance % of public works completed to cost, quality and time targets Housing waiting list numbers Sample risks that could affect achievement of success include: % of residents that are satisfied with council services - a risk would be the cutting or decrease in council services due to central government funding reductions, leading to a decrease in local satisfaction. % of council tax billed that is collected - a risk would insufficient staffing to pursue non-payments or fraudulent avoidance of payments. Tons of community-recycled waste - a risk would be community lethargy or a lack of understanding of the benefit or need for recycling resulting in a decrease in the amount of waste recycled. % of public works completed to cost, quality and time targets - a risk would be insufficient expertise or capability in running major projects, resulting in cost and time overruns and a decrease in the quality of delivered solutions
Describe the purpose of key risk indicators
There are techniques available to measure the changes in business performance, such as key performance indicators (KPIs) - for example, increase in sales in retail, or passenger numbers in the airline industry - and these have been further developed into key risk indicators (KRIs). An important part of the risk management process is of course risk reporting, and organisations have developed their KRIs according to their particular needs. As well as specific KRIs, there are certain generic risk indicators in use that can be calibrated to fit any organisation.
Discuss why reputation is so important to organisations
There are very few organisations that do not rely on a positive reputation for their continued prosperity, and indeed existence. Loss of reputation can impact sales, relationships, regulatory licensing, the ability to attract employees and ultimately profits. Damage to corporate reputation (or equivalent for non-corporate entities) is usually regarded as a consequence of the occurrence of a risk, rather than a risk in itself. Having said that, many organisations will discuss 'reputation risk' as a category of risk, but it is the train of negative events that give rise to reputational problems that requires analysis and control. Given that senior managers place great importance on having an excellent reputation, it follows that great importance should be placed on the effective management of risks that could damage reputation
List six different stakeholders for your company and justify one expectation that each stakeholder may have around the activities of this company
There will be a range of stakeholders in the goods that are supplied and sold by the organisation. Briefly, these stakeholders will include the following: 1. a) Customers expect quality and value for money, with product quality and style being a focus for this particular business along with reliable customer service in case of any problems 2. b) Regulators expect the goods to be fit for purpose; this again will be about acceptable quality levels, but also around ethical sourcing and safety standards. Regulators will also involve the expectations in a range of other areas, such as health and safety, financial reporting, procurement, IT security etc. 3. c) Financiers expect adequate return on investment as well as a suitable balance between return and risk; they also expect the company to maintain and build its reputation in order to guarantee future earnings growth 4. d) Workers and staff expect ethical working conditions in terms of security of employment and living wages 5. e) Suppliers expect fair treatment including fair payment conditions and they are looking for a sufficient return on their investment in supplying high quality components to our business as well as contracts which offer continuity of supply over the longer term, subject to adequate quality 6. f) Local society, is looking for things such as sustainable manufacturing practices, with minimal waste and pollution and some form of 'social return' into the localities around which manufacturing operates (corporate social activities)
Summarise three characteristics of a good risk culture
This requires a summary of three out of five of the LILAC meanings described on p110. Alternatively any of the 10 elements from the Risk Culture guide would also suffice. 1. Low risk appetite it's a high level of unwillingness to accept risk exposure relative to some other organisations. 2. State the main differences between a 'unitary' and a 'two-tier' board. a unitary board is one where executive and non-executive directors are members of the same board. The two tier board typically has the NEDs on one board level - the supervisory level, with the executive directors meeting as the 'executive committee'.
ALARP is one of the fundamental principles of risk management for health and safety. Describe how you would determine that risk had been reduced "as low as reasonably practicable.''
This would be the point at which the costs of any reasonable measures to reduce risk were disproportionate to the benefit that could be achieved.
Discuss the value of effective training in helping establish and embed a positive risk management culture in an organisation.
To drive a positive risk culture, senior management must also look at how risk training is carried out and the time and resources devoted to training (and indeed periodical retraining). Most training is aimed at developing staff capability in terms of skills and knowledge and is often combined with 'on the job' learning where soft skills (such as client care) and judgement can develop. Embedded within the training for skills and knowledge will naturally be training for safe working methods, how to avoid waste, how to ensure efficiency of operations and how to represent the organisation and protect its reputation. In addition to occupational skills training, certain jobs require specific risk training in terms of awareness and application of risk controls. For example, staff in the human resources (HR) team at a university will be taught how to enter students' details in to the IT system, how to merge groups, extract reports and ensure data quality and completeness is maintained. The staff will also be trained in how to maintain a secure system - not to disclose personal information, comply with access controls such as passwords and not to copy students' details onto remote devices. As noted, safety training features are a key aspect of risk management in many organisations and to a degree in all organisations. Risk training is not of course limited to safety or wide operational issues - for example, staff in the finance team will be trained in specifics such as managing aggregation exposures to banks and will seek to spread their accounts across a number of banks. Buyers in retail organisations will be trained to seek alternative suppliers to avoid reliance on a limited number of suppliers. The key feature of risk training is to develop staff beyond the limits of their functional role so that they have a good awareness of risk exposures and understand the importance of the control measures in place.
1. Prepare a report for the Chief Executive in which you: Describe five main principles of a risk aware culture.
To: The Chief Executive From: the Risk Office Date: Today Subject: Risk Maturity at the organisation Please find attached a short report on risk cultures and risk maturity at your organisation. The culture of the business is a very important factor in determining the way risk is managed and can be a determinant on its ultimate success. There are five levels of risk aware culture, which can be found in the following table, described by Hopkin as LILAC principle. Leadership - Strong leadership within the organization in relation to strategy, projects and operations Involvement - Involvement of all stakeholders in all stages of the risk management process Learning - Emphasis on training in risk management procedures and learning from events Accountability - Absence of an automatic blame culture, but appropriate accountability for actions Communication - Communication and openness on all risk management issues and the lessons learnt
You are responsible for risk management in an organisation of your choice. Prepare a memo to the Chief Executive Officer. Within the memo: 1. a) Explain two general benefits of having a risk classification system.
To: the CEO From: the Risk Manager Date: 00/00/2000 Subject: Risk classification in our law partnership The organisation that has been selected to illustrate the kind of answer points that candidates should consider in this question is a private company that has the contract for the emptying of bins and collection of recyclable materials from domestic households. The main concern of the organisation is to ensure that efficiency is maintained and a satisfactory level of customer service is ensured. Benefits of having a risk classification system. There are a number of benefits associated with having a risk classification system (Woods p22-27). The requirement of this question is theoretical; candidates do not have to apply the benefits that they explain to their organisation, although if they do, it would be quite acceptable. Some of the benefits discussed in the literature include: Having a structured risk classification system will provide a structure to risk assessment workshops that will make it more likely that all of the significant risks will be identified. The risk classification system will enable accumulations of risk of the same type to be identified, so that the organisation will be better able to recognise vulnerabilities. A risk classification system will also make it easier to identify who should be responsible for improved management of specific types of priority risks. The risk classification system help the organisation decide whether the actual risk exposure is within the risk appetite and risk capacity of the organisation. Other benefits that are not on the list are acceptable; for example through the bundling of similar risk types together for efficient treatment or insurance cover. The best candidates will also seek to provide some form of definition of what a risk classification system is.
Assess two potential advantages of establishing a risk committee in this organisation.
Two potential advantages of establishing such a body in this organisation include: o - helping the organisation embed effective risk management and supporting you in this initiative o - helping create a more risk-aware culture throughout the organisation o - holding managers to account where shortcomings occur o - ensuring senior oversight and an appropriate tone at the top for effective risk management across the company
Identify what a 'hybrid' approach to the structure of risk management activities means
A hybrid structure exists where discretion in the design and operation of the organisation is allowed in certain areas but in others (such as brand management, health and safety, and banking arrangements) the corporate approach must be adopted
Explain how you would overcome each difficulty of post implementation difficulties
Although there are advantages associated with having this RMIS, there are also difficulties that need to be overcome, including some risks associated with the outsourcing agreement: • Considerable effort may be required by management to enter the information - this can be overcome by incentives to management for providing accurate data against an agreed and realistic timetable Also by entering the most useful information into the system first to provide output analysis and reports that demonstrate benefits • It may take some time before the benefits of the RMIS become visible - this can be overcome by entering the most useful information into the system first to provide output analysis and reports that demonstrate benefits • RM information is collected as a separate stream of management information (MI) that is not seen as relevant to the day-to-day activities of the company - this can be overcome by aligning the MI collected on the RMIS to business objectives • Access to the information may be difficult, especially in case of emergency and this may be critically important if the disaster recovery plan has to be implemented - actions need to be taken to ensure that the information needed for disaster recovery purposes is fully up-to-date and available, possibly having its own disaster recovery provision • Ongoing maintenance - can be overcome by ensuring strict quality conditions in the outsourcing agreement both during and post-implementation (Hopkin p323 suggests some of the conditions to include in an ongoing outsourcing agreement)
Explain one way this balanced scorecard can assist individual shop workers with the successful embedding of risk management.
CIMA Tesco presents a good explanation. Quote: shop-workers can see exactly what's expected of them, for example, in terms of in-store customer experience and understand how risks can devalue their performance. In other words, the scorecard is in effect the objective setting activity (part of establishing the context for RM.
From the information in the scenario above, explain how the process of embedding risk management could be made both more difficult and easier to achieve within this particular retailer.
CIMA Tesco suggests that the embedding of RM can be made more difficult when the organisation is widely dispersed because local approaches are much likely and different country cultures are likely to require some degree of tailoring of the embedding activity, which could make it less cost effective. On the other hand, the low number of management layers in the structure should facilitate rapid embedding from top to bottom. Also the low level of diversification (the business model is the same world- wide) should make the project fast to achieve, with broadly the same types of risk being discussed and delegated.
One of the lessons we can learn from reviewing case studies in risk management is that "Bureaucratic processes and systems can hamper good risk management": Chartered Institute of Management Accountants (2010). State two reasons why this could be the case
CIMA states that this can either be "as a result of a 'box-ticking mentality' or because managers and staff believe they do not need to consider risk themselves"
Define what is meant by 'risk protocols' and list eight relevant risk protocols you would expect to see employed by your friend in the manufacturing company.
Definition - Organisations develop and use risk protocols as the means by which the risk strategy and architecture are delivered in practice. The protocols describe the operating procedures and practices required to put into effect the full range of activities within the risk management framework. Risk protocols could include: • The techniques used in risk identification across the company. • The format and content of the manufacturing company's risk • register, how it is to be completed and the requirements for • regular updates across the company. • How risk and control ownership is assigned to staff across the • company. • Requirements on entering risk events into the issues and events log and the upward notification of events according to their materiality. • Reporting requirements - such as weekly or monthly reports and risk analysis, performance against key risk indicators. • Approval processes for expenditure on risk improvement actions across the company. • Control and sign-off processes for entering into new (or renewal)contracts. • Template documents for risk assessments and, where required,certification.
Draw a diagram which shows an ERM framework, using the COSO ERM standard
Ensure that the front face (the process) has both the right components and is presented in the correct order. The top face can be in any order, while the side face should begin with entity level, the order of the other side-face components are less important.
The board of an organisation require assurance that the risk strategy and risk management is operating effectively across the organisation. Describe the role that each of the following play in providing risk assurance to the board: I. External audit
External audit - provide assurance over the financial statements, accounts and potentially related areas of financial internal control and risk. May test financial risk management and fraud risk, and provide an Assurance on these. Assurances may be provided direct or through an audit committee.
Summarise four key risk indicators that could be used by any organisation.
Four generic KRIs could include: • Reportable accident rates • Staff turnover • IT downtime • Customer complaints • Sickness absence • Unplanned office closures • External or internal frauds
"It is insufficient to leave an organisation's risk culture to chance". Describe three ways in which senior management could take a positive stance on risk culture
Good communication, effective policy, inductions, job descriptions, training programmes and an investment in IT security etc.
Define the term 'operational risk'
Hopkin states that operational risks are 'the type of risk that will disrupt normal, everyday activities'
Define 'residual risk'.
Hopkin's is "Existing level of risk taking into account the controls in place, sometimes referred to as 'net risk' or 'managed risk', but most frequently as 'residual risk'"
Identify the categories of risk specified by Hopkin.
I. Compliance/mandatory II. Hazard/pure III. Control/uncertainty IV. Opportunity/speculative
State which risk management framework the Sarbanes Oxley Act recommends. Explain why the company needs to comply with the Sarbanes Oxley Act and how the work of effective audit and disclosures committees, along with an internal audit function, can help the company reduce the likelihood of future Sarbanes Oxley compliance risks
Hopkin states either the COSO ERM or the COSO Internal Control Framework is the choice framework. The compliance requirements around SOX are extensive and complex and broadly deal with both the quality (truth and fairness) of the financial statements as well as the effectiveness of the underlying financial controls that help to mitigate financial reporting risks. Hopkin explains this on p366 and on p367 he states that SOX compliance "will also apply to organizations based in other countries if the company has a listing on a US stock exchange". Hopkin states on p366 that in order to comply with the requirements of Sarbanes-Oxley, many organizations have decided to set up a disclosures committee to validate all information disclosed by the organization. Because of the extensive application of SOX, many companies based in countries other than the United States have also been obliged to set up disclosures committees in order to decide what should be disclosed, when considering the risks and opportunities of such disclosure as well as the compulsory parts of the results. Since SOX's role is mainly around the external reporting of financial results, the Audit Committee (AC) has a major role in providing assurance to the Board that their statements on the accuracy of the accounts and the quality of accounting based controls are compliant and effective and that no material misstatements occur. This may also involve reviewing and discussing any reports from the internal and external auditors in relation to SOX (see the table 32.1 on p347; a segment of which is shown here: Financial reporting ● review the annual and half-year financial results ● evaluate annual report against requirements of the governance code (or in this case SOX) ● review disclosure by CEO and CFO during certification of annual report External Audit tend to review the accounts at the end of a reporting period. The advantage of internal audit's review is that it can be independent of those people who put together the financial statements (and thus be more objective in its assurance) and also more timely and identify control weakness, errors or compliance failures earlier on, and therefore improve the likelihood of final compliance. Thus Hopkin says "A principal role of internal audit in the overall risk management process is ensuring accurate reporting. The scope of reporting can spread from informal reporting on risks and risk events through to formal reporting in the annual report and accounts of the organization. In organizations where the Sarbanes-Oxley requirements apply, internal audit will frequently get involved in the certification of financial performance, prior to attestation of the results by an external auditor."
The board of an organisation require assurance that the risk strategy and risk management is operating effectively across the organisation. Describe the role that each of the following play in providing risk assurance to the board: I. Management
Management - provide management assurance that they are complying with the risk management framework, that they have identified, assessed and are managing their own risks in line with the agreed risk appetite. Where additional risk responses are required, management will provide assurance that they have established these and are on track to deliver the additional action. Management will also have to escalate significant emerging risks to the board, potentially through the risk management function.
List four ways in which a risk manager could effectively and efficiently monitor their organisation's business and risk environment.
Newsfeeds, the media, industry or sector journals, and reputable websites, consulting company research and analysis reports, global surveys (etc.).
In respect of the positive management of an organisation's risk culture, complete the following sentence by entering the four missing words: Organisations face numerous risks and build a/an ____________ environment that senior managers believe will manage the effects of risks at a cost that is acceptable. The aim is to create a risk ____________ that sits within the organisation's risk ____________ and __________.
Organisations face numerous risks and build a control environment that senior managers believe will manage the effects of risks at a cost that is acceptable. The aim is to create a risk profile that sits within the organisation's risk appetite and tolerances.
Describe the six components of the PESTLE risk classification system and state what type of risk this tool is best used for analysing.
Political Economic Sociological or socio-cultural Technological Legal Environmental or ethical This tool is best used for analysing external risks, the external risk environment and strategic risks.
Summarise the four stages that will occur in the RMIS project's implementation lifecycle.
Project Inception, In which there will be a feasibility study of the project's cost and benefits to the charity. Project Planning, in which there will be a detailed design of and plan of the project, with a full schedule of activities, times and projected costs. At this point the procurement will occur and the contract with the chosen provider will be settled. Project Execution will involve the actual delivery of the project, in which risks must be monitored around time, cost and quality. Project Closure involves the handover to the charity and the beginning of operation. The charity should then review the project to ensure the implementation works as expected and whether any lessons can be learned.
Describe three ways in which Corporate Social Responsibility (CSR) can benefit an organisation.
Protecting and enhancing reputation, brand and trust Attracting, motivating and retaining talent Improving operational and cost efficiency Developing new business opportunities
With reference to the abbreviation 'CRAM', correct the following recommended list of a manager's people skills: 'communication, resourcing, analytical and monitoring skills'.
Resourcing' should read 'relationships' and 'monitoring' should read 'management'
Explain the difference between risk appetite and risk tolerance, giving an example of each
Risk appetite is often considered to be the positive aspects of risk that organisations seek, such as the development of new products that will bring high returns but carry the potential to fail and result in losses. Risk appetite refers to the core mission or strategy of the organisation. Tolerance refers to the limit of negative effects of risk an organisation is willing to accept before taking some further risk treatment action to address the underlying drivers of risk.
Describe what is meant by 'risk protocols' and a 'risk strategy'. Explain how risk protocols and a risk strategy could help the company in developing a good risk management process to deal with Sarbanes Oxley compliance
Risk Strategy (adapted to fit towards Sarbanes Oxley compliance risk) It is important for the company to have a clearly established strategy in relation to risk management. The risk management strategy will be set out in the risk management policy statement. The risk strategy needs to be based on the overall approach of the business to risk and risk management. An important component of that risk strategy will be the requirement that there is risk management input into strategy, projects and operations - in this case it might be in terms of developing a Sarbanes Oxley implementation project to ensure future compliance. In order to establish the risk management strategy, important decisions will need to be made about the risk appetite of the business, along with awareness of risk capacity and these effects will be critical in the successful risk process. For example, without a clear risk appetite, managers will not know whether or not a financial reporting risk or a deficiency in financial controls is significant enough to warrant treatment. The risk management strategy will include details of what the company is seeking to achieve with respect to risk management towards SOX compliance. The strategy may set out the details of the level of risk maturity that is desired, together with the information on the level of contribution that is expected from risk management. In effect, risk management strategy will establish the way in which risk management activities in relation to SOX are aligned with the other activities in the business and the contribution that is expected from risk management activities. In that sense it is the starting point for risk management process and is vital because it provides the ultimate objective to which the success or failure of risk management is measured against. It is, in effect, the authority behind the Sarbanes Oxley compliance risk management process. Risk strategy, appetite, attitudes and philosophy are defined in the risk management policy and thus provide a high level guide for managers managing all risk (not just SOX risk) through the risk process. Risk Protocols Hopkin p79-81, Study guide p21-22 (again adapted to fit around SOX compliance) Risk protocols are defined in the risk guidelines for the company and include the rules and procedures, as well as the risk management methodologies, tools and techniques that should be used. They are vital for the delivery of the business's risk management process and ensure that RM is undertaken in a consistent and controlled way. This facilitates the embedding processes of RM and ensures the RM process is delivered in a consistent way. The embedding of risk awareness and sufficiently robust financial controls is essential for the process of SOX compliance Procedures and protocols for undertaking the assessment of risks to Sarbanes Oxley compliance will need to be established in writing. The business will also need to produce guidance on the frequency and nature of SOX risk reports and who is responsible for compiling the information - this fits into the process elements of monitoring and review along with the communications and consultation aspects of the RM process. The risk protocols should also describe the extent of record keeping that is required for SOX compliance and thus facilitates the risk process's consistency and guidance on how to do things through the RM process. Risk management protocols describe the range of activities that are undertaken in the name of SOX risk management. The protocols define the activities that must be undertaken during the SOX risk process and how they will be undertaken. Risk management guidelines normally refer to the standards that should be achieved. In some cases, the guidelines will include details of the controls that are in place. This will be especially true for guidelines that identify procedures that must be undertaken. These procedures will provide direction for directors, managers and staff within the company. Note that Hopkin explains that the successful delivery of the RM process also requires clarity and agreement on the risk architecture. If the business does not know who should do what in terms of risk management and how each person accounts for what they do, then the RM process will certainly not work effectively both generally and more specifically for SOX compliance.
List four situations in which employees have particular health and safety training needs
Some employees may have particular training needs, for example: • ● New recruits need basic induction training on how to work safely, including arrangements for first aid, fire and evacuation. • ● People changing jobs or taking on extra responsibilities need to know about any new health and safety implications. • ● Young employees are particularly vulnerable to accidents and you need to pay particular attention to their needs, so their training should be a priority. It is also important that new, inexperienced or young employees are adequately supervised. ● Some people's skills may need updating by refresher training
Who is the primary customer of an internal audit in your financial services organisation
The 'end customer' of internal audit is the board of directors, who place reliance on their assurances on the system of internal control. No system guarantees immunity from the effects of risks, but the board seeks a considered view on how the risk environment is controlled. Internal audit should provide that view. Local management are not the end customer.
Describe how a professional internal audit service should add value to its organisation
The IIA's Definition of internal auditing helps describe how internal audit adds value. 'Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.'
In setting up a 'risk architecture', the board are considering whether the audit committee should report to the risk committee, or whether the risk committee should report to the audit committee.
The most preferable is that the risk committee should report to the audit committee
The Chartered Institute of Management Accountants (2010) report shows that Birmingham City Council and Tesco linked risk management with performance targets. Identify four advantages of using this approach
The performance information provides feedback for the risk management process. This has the advantage of helping to prioritise actions. Linking risk management to performance standards is key in ensuring risk management is embedded in the organisation. Performance standards that fall short of expectations or target can indicate the effect of risk events or slowly operating control failures. Performance measures can be seen as representations of objectives, thus an organization which links the idea of risks to objectives goes to the heart of what risks and risk management is all about.
Describe what is meant by a 'risk aware' culture.
The risk culture is a notoriously ill-defined area in risk-There are many definitions of culture and many of risk. The module study guide 'risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or teams or groups within an organisation', shows the relationships going right through from the individual's approach to risk to that of the whole risk culture of the organisation - this is also taken from the IRM guide. To answer the question then, we are looking for candidates to provide a little discussion around what is meant by culture and then adapt it so that we get risk brought into the discussion, as the IRM Risk Culture guide tries to do. Good answers will bring together thoughts from more than one source. So for example; The culture of an organisation is a reflection of the overall attitude of every component of management within a company. The culture of an organisation determines how individuals will behave in particular circumstances. The culture will define how an individual feels obliged to behave in all the circumstances. A good risk culture will be the product of individual and group values and of attitudes and patterns of behaviour. This will lead to a commitment to the risk management objectives of the organisation. Organisations with a risk aware culture are characterised by communication founded on mutual trust and a shared perception of the importance of risk management.
Evaluate the role and responsibilities of a risk committee
The role and responsibilities of a risk committee could include: - To champion effective risk management and support you in your role - To advise the board on risk management and to foster a culture that emphasises and demonstrates the benefits of effective risk management - To make appropriate recommendations to the board on all significant matters relating to the risk strategy and policies of the company - To monitor the performance of the risk management systems and review reports prepared by the relevant parties - To keep under review the effectiveness of the risk management infrastructure of the company - To review the risk exposure of the company in relation to its risk appetite
Define what the overall approach of Governance, Risk and Compliance is based on
The separation of functions.
Assess two disadvantages of establishing a risk committee in this organisation
Two potential disadvantages of establishing such a body in this organisation include: • - it could become a talking shop rather an effective, driving force for improvement • - additional time and resource costs associated with committee meetings may outweigh the benefits • - possible conflict or duplication with elements of the work of other committees, such as an audit committee • - may not get sufficient buy in or the right membership
Describe what is meant by the UK Corporate Governance Code's 'comply or explain' requirement
Ultimately, compliance with the Code is not a legal requirement but listed companies are required to publish in their annual report and accounts areas where they are not complying with the Code. The thinking is that if shareholders do not agree with the explanation in any areas of non-compliance then they will seek to influence change or withdraw their investment
Explain three benefits of outsourcing business functions to a third party
a risk emphasis for a major retailer would be 'brand management' because if the brand reputation is eroded, it will be hard for the retailer to compete.
Describe the levels of risk maturity. From these levels evaluate and justify what you believe to be the present level of risk maturity in the company
define risk maturity- level of embedded risk management. The combined elements of LILAC in Q3 could be used as a starter for evaluating risk maturity and in fact the study guide (p30) links risk maturity directly to risk culture. Hopkin and many others highlight a range of levels of risk maturity that can prevail within an organisation from a range of different sources. Some of the alternative ranges of maturity measures include that of the Reform - conform -perform - deform continuum (Hopkin 2014:46) and the five level model from the Institute of Internal Auditing. Evaluate: There is evidence that our organisation has a fairly low level of maturity. This is evidenced by its repeated exposure to risk crystallisations, a lack of engagement with stakeholders and a lack of knowledge throughout the enterprise on key objectives and therefore key risks. However, by being aware of the shortcomings and employing a risk consultant, there is some evidence of risk awareness. In doing this we have used the LILAC risk culture card to assess our organisation's maturity. To conclude, we take the view that our risk maturity is presently 'novice'.
Four emerging risks that the financial services organisation will not typically be able to control effectively through its own actions
• Climate change • Sovereign debt • National security • Changing demographics • International migration