Study Unit Four - Risk Management
True/False: Senior management has an oversight function in regards to risk management.
True/False: False Boards have an oversight function.
True/False: Qualitative methods are less efficient and more costly than quantitative methods for assessing risk.
True/False: False Qualitative methods are more efficient and less costly than quantitative methods for assessing risk.
The Risk Management Process Step 4: Risk Response True/False: Inherent risk is the risk that remains after risk responses are executed.
True/False: False Residual risk is the risk that remains after risk responses are executed.
ERM is based on the premise that every organization exists to provide _______ for its stakeholders.
Value
_______ is the organization's aspirations for what it intends to achieve over time.
Vision
What does a gap analysis determine?
Whether risks are identified and assessed adequately.
What are the five categories of risk responses?
1. Acceptance 2. Avoidance 3. Pursuit 4. Reduction 5. Sharing
The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding what five things? (Implementation Standard 2120.A1)
1. Achievement of the organization's strategic objectives 2. Reliability and integrity of financial and operational information 3. Effectiveness and efficiency of operations and programs 4. Safeguarding of assets 5. Compliance with laws, regulations, policies, procedures, and contracts (Implementation Standard 2120.A1)
In addition to severity, what four factors are considered when prioritizing risks?
1. Agreed-upon criteria 2. Risk appetite 3. The importance of the affected business objectives 4. The organizational level(s) affected
The Risk Management Process Step 3: Risk Assessment and Prioritization The risk assessment process involves what three steps?
1. Assessing the significance of an event 2. Assessing the event's likelihood 3. Considering the means of managing the risk
The Risk Management Process Step 2: Risk Identification What are three alternative methods for identifying risk?
1. Brainstorming 2. SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats) 3. Scenario Analysis (What-If Analysis)
What are the four internal environment factors relating to business context?
1. Capital 2. People 3. Processes 4. Technology
The ISO 31000 risk management process consists of what seven elements?
1. Communication and Consultation 2. Establishing the Context 3. Risk Identification 4. Risk Analysis 5. Risk Evaluation 6. Risk Treatment 7. Monitor and Review
What are five examples of agreed-upon criteria for evaluating and prioritizing risks?
1. Complexity: The nature and scope of a risk 2. Velocity: The speed at which a risk affects the entity 3. Persistence: How long a risk affects the entity, including the time it takes the entity to recover 4. Adaptability: The entity's capacity to adjust and respond to risks 5. Recover: The entity's capacity (not the time) to return to tolerance
What are the three elements of effective data management?
1. Data and Information Governance 2. Processes and Controls 3. Data Management Architecture
What are five risk identification methods and approaches?
1. Day-To-Day Activities 2. Simple Questionnaires 3. Facilitated Workshops 4. Interviews 5. Data Tracking
Business context may be what three things?
1. Dynamic: New, emerging, and changing risks can appear at any time 2. Complex: A context may have many interdependencies and interconnections 3. Unpredictable: Change occurs rapidly and in unanticipated ways
The Risk Management Process Step 2: Risk Identification What are six methods for identifying risks?
1. Event inventories 2. Questionnaires and surveys 3. Leading event indicators and escalation triggers 4. Facilitated workshops and interviews 5. Process flow analysis 6. Loss even data methodologies
What are the four types of risks?
1. Financial 2. Operational 3. Legal or Regulatory 4. Strategic
The internal audit activity must evaluate risk exposures relating to what three things within an organization? (Implementation Standard 2120.A1)
1. Governance 2. Operations 3. Information Systems (Implementation Standard 2120.A1)
What are the two supporting aspect components of the COSO ERM framework?
1. Governance and Culture 2. Information, Communication, and Reporting
Risk management processes include what five things?
1. Identification of Context 2. Risk Identification 3. Risk Assessment and Prioritization (i.e., Risk Analysis) 4. Risk Response 5. Risk Monitoring
A risk officer is commonly referred to as what?
A Centralized Coordinator
What defines a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization?
A Risk Management Framework
Definition: COSO Risk Management Framework
A framework that provides a basis for coordinating and integrating all of an organization's risk management activities.
Definition: Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
_______ is when action is taken to remove the risk. This risk response typically suggests no response would reduce the risk to an acceptable level.
Avoidance
Company management completes event identification and assesses the severity of risk. Management then acts to alter the severity of risk. According to COSO, which of the following types of risk does this situation represent? A. Inherent Risk B. Actual Residual Risk C. Event Risk D. Detection Risk
B. Actual Residual Risk Explanation: Actual residual risk is the risk that remains after management acts to alter its severity. Inherent risk is the risk that exists in the absence of management actions to alter its severity.
The internal audit activity must evaluate the _______ and _______ of risk management processes. (Performance Standard 2120)
Effectiveness, Contribute to the Improvement (Performance Standard 2120)
Portfolio view is similar to a risk profile. The difference is that it is a composite view of the risks related to _______ strategy and business objectives and their effects on _______ performance.
Entity-Wide, Entity
The internal audit activity must evaluate the potential for the occurrence of _______ and how the organization manages _______. (Implementation Standard 2120.A2)
Fraud, Fraud Risk (Implementation Standard 2120.A2)
_______ means the components, principles, and controls continue to operate to achieve objectives.
Functioning
The following principles relate to what supporting aspect component of the COSO ERM framework? 1. The organization leverages its information systems to support ERM 2. The organization uses communication channels to support ERM 3. The organization reports on risk, culture, and performance at multiple levels and across the entity
Information, Communication, and Reporting
_______ is the risk in the absence of management actions to alter its severity.
Inherent Risk
At what level in the Capability Maturity Model are few processes defined?
Initial Level
Key indicators of risk should be reported with _______ to emphasize the relationship of risk and performance.
Key Performance Indicators (KPI's)
Within the ISO 31000 framework, the _______ assurance approach evaluates whether the eleven risk management principles are in practice.
Key Principles
Determining whether risk management processes are effective is a _______ resulting from the internal auditor's assessment. (Interpretation of Standard 2120)
Judgement (Interpretation of Standard 2120)
Within the ISO 31000 framework, the _______ assurance approach is based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process.
Maturity Model
_______ is the organization's core purpose.
Mission
_______ is any action or potential action that creates or alters goals or approaches for the creation, preservation, or realization of value.
Opportunity
At what level in the Capability Maturity Model is continuous improvement enabled?
Optimizing Level
Risk management processes may be formal or informal, _______ or _______, or embedded in business units or centralized. They are designed to fit the organization's culture, management style, and objectives.
Quantitative, Subjective
_______ is when action is taken to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite.
Reduction
The Risk Management Process Step 4: Risk Response Example: A company has a fear of their pipeline being sabotaged so they sell the pipeline in response. What type of risk response is this?
Risk Avoidance
The Risk Management Process Step 4: Risk Response _______ ends the activity from which the risk arises.
Risk Avoidance
_______ is the maximum amount of risk the organization can assume.
Risk Capacity
In which risk view are identified and assessed risks categorized based on operating structures?
Risk Category View (Limited Integration)
Within the ISO 31000 framework, _______ is the process that prioritizes the identified risks.
Risk Evaluation
Within the ISO 31000 framework, _______ is the process that considers sources of risk, areas of impact, and potential events and their causes and consequences.
Risk Identification
_______ consists of all identified risks that affect strategy and business objectives.
Risk Inventory
If the CAE concludes that management has accepted a level of risk that may be unacceptable, the CAE must discuss the matter with _______ and may need to communicate the matter to _______.
Senior Management, The Board
_______ is a measure of such considerations as impact, likelihood, and the time to recover from events.
Severity
_______ is when action is taken to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance, hedging, joint ventures, and outsourcing.
Sharing
The Risk Management Process Step 4: Risk Response Definition: Residual risk
The risk that remains after risk responses are executed.
_______ relates to the ERM practices that support the organization's decisions in pursuit of value.
Performance
_______ should reflect how risk assessment results are expressed.
Risk Appetite
The Risk Management Process Step 3: Risk Assessment and Prioritization Risk modeling in a consulting service is done by ranking the engagement's potential to do what three things?
1. Improve management of risks 2. Add value 3. Improve the organization's operations
The Capability Maturity Model (CMM) consists of what five maturity levels presented in order of maturity?
1. Initial 2. Repeatable 3. Defined 4. Managed 5. Optimizing
The Risk Management Process Step 2: Risk Identification What are three examples of internal risk factors at the entity level?
1. Interruptions in automated systems 2. The quality of personnel hired 3. The level of training provided
What are the three approaches to providing assurance on the risk management process as described by the ISO 31000 framework?
1. Key Principles 2. Process Element 3. Maturity Model
The Risk Management Process Step 1: Identification of Context A precondition to risk identification is identifying the significant contexts within which risks should be managed. Context include what six things?
1. Laws and Regulations 2. Capital Projects 3. Business Processes 4. Technology 5. Market Risk (i.e., Interest Rates, Foreign Exchange Rates, Equity Investments) 6. Organizations
What are two external factors that shape culture?
1. Legal requirements 2. Expectations of stakeholders
The Risk Management Process Step 3: Risk Assessment and Prioritization What are three qualitative methods for risk assessment?
1. Lists of All Risks 2. Risk Rankings 3. Risk Maps
What are the five components of the ISO 31000 risk management framework?
1. Mandate and Commitment 2. Design of a Framework 3. Implementing Risk Management 4. Monitoring and Review 5. Continual Improvement
What are the six external environment factors relating to business context?
1. Political 2. Economic 3. Social 4. Technological 5. Legal 6. Environmental
The Risk Management Process Step 4: Risk Response In large or complex entities, senior management may appoint a risk committee. What are the two responsibilities of a risk committee?
1. Review the risks identified by the various operating units 2. Create a response plan
The Risk Management Process Step 4: Risk Response What are the four strategies for risk response?
1. Risk Avoidance 2. Risk Retention 3. Risk Reduction 4. Risk Sharing
The following four risk views have different levels of risk integration. Name the level of risk integration for each view: 1. Risk Profile View 2. Risk View 3. Portfolio View 4. Risk Category View
1. Risk Profile View: Partial Integration 2. Risk View: Minimal Integration 3. Portfolio View: Full Integration 4. Risk Category View: Limited Integration
What are the four risk views?
1. Risk View 2. Risk Category View 3. Risk Profile View 4. Portfolio View
The CAE and internal auditors should obtain a clear understanding of what six things within the organization for the risk management process?
1. Risk appetite 2. Business missions and objectives 3. Business strategies 4. Risks identified by management 5. Current risk management environment and prior corrective actions 6. Means of identifying, assessing, and overseeing risks
What are three approaches to evaluating strategy?
1. SWOT Analysis (Strengths-Weaknesses-Opportunities-Threats) 2. Competitor Analysis 3. Scenario Analysis
What are the three common process components of the COSO ERM framework?
1. Strategy and Objective-Setting 2. Performance 3. Review and Revision
The Risk Management Process Step 2: Risk Identification What are two examples of external risk factors at the entity level?
1. Technological changes 2. Changes in customer wants and expectations
What are three internal factors that shape culture?
1. The level of judgement and autonomy allowed to personnel 2. Standards and rules 3. The reward system in place
The Risk Management Process Step 5: Risk Monitoring The two most important sources of information for ongoing assessments of the adequacy of risk responses (and the changing nature of the risks) are?
1. Those closest to the activities 2. The audit function
The Risk Management Process Step 5: Risk Monitoring Risk monitoring does what four things?
1. Tracks identified risks 2. Evaluates current risk response plans 3. Monitors residual risks 4. Identifies new risks
Within the ISO 31000 framework, the maturity model assurance approach determines where the risk management process is on the maturity curve and evaluates what three things?
1. Whether it is progressing as expected 2. Adds value 3. Meetings organizational needs
Which of the following is the correct order of steps in the risk management process? 1. Identify Risks 2. Monitor Risk Responses 3. Formulate Risk Responses 4. Assess and Prioritize Risks 5. Identify Context A. 5, 1, 4, 3, 2 B. 1, 4, 3, 2, 5 C. 1, 3, 5, 4, 2 D. 1, 5, 4, 3, 2
A. 5, 1, 4, 3, 2 Explanation: Step One: Identify Context Step Two: Identify Risks Step Three: Assess and Prioritize Risks Step Four: Formulate Risk Responses Step Five: Monitor Risk Responses
According to COSO's ERM framework, which view of risk is fully integrated? A. Portfolio View B. Risk View C. Risk Profile View D. Risk Category View
A. Portfolio View
Value is created when: A. The benefits obtained from the resources used exceed their costs. B. The value of resources used is sustained. C. Benefits are transferred to stakeholders. D. Management's strategy does not produce expected results or management does not perform day-to-day tasks.
A. The benefits obtained from the resources used exceed their costs.
_______ is when no action is taken to alter the severity of the risk. This risk response is appropriate when the risk is within the risk appetite.
Acceptance
_______ is the risk that remains after management actions to alter its severity.
Actual Residual Risk
_______ are used to evaluate the characteristics of risks and to determine the entity's capacity to respond appropriately.
Agreed-Upon Criteria
The third line of management accountability is the _______. This level reviews ERM, identifies issues and improvements, and informs the board and executives of matters needing resolution.
Assurance Function (Internal Auditing)
Management must focus on risks at what level of the entity and take the necessary action to manage them?
At All Levels
Which of the following members of an organization has ultimate ownership and responsibility of the enterprise risk management, provides leadership and direction to senior managers, and monitors the entity's overall risk activities in relation to its risk appetite? A. Chief Risk Officer B. Chief Executive Officer C. Internal Auditors D. The Board
B. Chief Executive Officer Explanation: The CEO sets the tone at the top of the organization and has ultimate responsibility for ownership of the ERM.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should: A. Recognize that organizations should use similar techniques for managing risk B. Determine that the key objectives of risk management processes are being met C. Determine the level of risks acceptable to the organization D. Treat the evaluation of risk management processes in the same manner as the risk analysis used to plan engagements
B. Determine that the key objectives of risk management processes are being met
According to COSO, which of the following components of the enterprise risk management addresses an entity's operating structures and core values? A. Review and Revision B. Governance and Culture C. Strategy and Objective-Setting D. Information, Communication, and Reporting
B. Governance and Culture
Which of the following is a false statement about risk responses? A. Each organization must assess the relationship between the likelihood and significance of risks B. Identified risks cannot simple be accepted C. Some risks require the creation of elaborate control structures D. There is no direct correlation between the severity of a risk and the cost of the response to that risk
B. Identified risks cannot simple be accepted Explanation: While some risks require the creation of elaborate control structures, others may simply be accepted.
Which of the following activities is outside the scope of internal auditing? A. Evaluating risk exposures regarding compliance with policies, procedures, and contracts B. Safeguarding of assets C. Evaluating risk exposures regarding compliance with laws and regulations D. Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished.
B. Safeguarding of assets Explanation: Safeguarding of assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activities assurance function evaluates the adequacy and effectiveness of controls related to the organization's governance, operations, and information system regarding safeguarding of assets.
Value is preserved when: A. The benefits obtained from the resources used exceed their costs. B. The value of resources used is sustained. C. Benefits are transferred to stakeholders. D. Management's strategy does not produce expected results or management does not perform day-to-day tasks.
B. The value of resources used is sustained.
One of the factors considered in selecting and implementing risk responses is that they should be chosen for, or adapted to, the _______.
Business Context
_______ pertains to the relationships, events, trends, and other factors that influence the organization's strategy and business objectives.
Business Context
_______ are specific, measurable, observable, and obtainable.
Business Objectives
_______ are the steps taken to achieve the strategy.
Business Objectives
Value is realized when: A. The benefits obtained from the resources used exceed their costs. B. The value of resources used is sustained. C. Benefits are transferred to stakeholders. D. Management's strategy does not produce expected results or management does not perform day-to-day tasks.
C. Benefits are transferred to stakeholders.
The organization's definition of _______ determines its placement on the culture spectrum, which ranges from risk averse to risk aggressive.
Culture
Each of the following is a limitation of enterprise risk management (ERM), except: A. ERM deals with risk, which relates to the future and is inherently uncertain B. ERM operates at different levels with respect to different objectives C. ERM can provide absolute assurance with respect to objective categories D. ERM is as effective as the people responsible for its functioning
C. ERM can provide absolute assurance with respect to objective categories Explanation: ERM cannot provide absolute assurance with respect to different objectives. However, if it could, it would be an advantage, not a limitation.
Which of the following is closely related to traditional risk management instead of enterprise risk management (ERM)? A. Rapid response to opportunities B. Organization-level view of risk C. Emphasis on specific functions D. Achieving financial goals
C. Emphasis on specific functions Explanation: The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on any specific area of risk.
Internal auditors should review the means of physically safeguarding assets from losses arising from: A. Misapplication of accounting principles B. Procedures that are not cost justified C. Exposure to the elements D. Underusage of physical facilities
C. Exposure to the elements Explanation: The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets. For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements.
Which of the following is not an activity undertaken as part of risk management? A. Risk Identification B. Risk Analysis C. Risk Exposure D. Risk Response
C. Risk Exposure
Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives? A. The Internal Audit Activity B. Control Process C. Risk Management D. Consulting Service
C. Risk Management
Which of the following approaches to providing assurance on the risk management process is based on the principle that effective risk management processes develop as value is added at each stage of maturation? A. The Process Element Approach B. The Key Principles Approach C. The Maturity Model Approach D. None of the answers are correct
C. The Maturity Model Approach
Standard 2120 states that the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Conformance with Standard 2120 is best demonstrated by: A. The work programs for formal consulting engagements B. The business continuity plan C. The charter of the internal audit activity D. Review by the internal auditors immediately following a disaster
C. The charter of the internal audit activity Explanation: Documents demonstrating conformance with Standard 2120 include the internal audit charter, the internal audit plan, minutes of meetings in which internal audit recommendations were discussed, internal audit risk assessments, and internal audit action plans addressing risks.
_______ may be directed to examine, evaluate, report, or recommend improvements to the risk management process.
The Internal Audit Activity
Which of the following is not a component of the ISO 31000 model? A. Monitoring and Review B. Continual Improvement C. Unitary Control Framework D. Design of Framework
C. Unitary Control Framework
The _______ provides criteria for assessing whether the organization's ERM culture, capabilities, and practices together effectively manage risks to strategy and business objectives.
COSO ERM Framework
One of the factors considered in selecting and implementing risk responses is that they should further _______ with obligations and achievement of _______.
Compliance, Expectations
During _______ engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks. (Implementation Standard 2120.C1)
Consulting (Implementation Standard 2120.C1)
Which component of the ISO 31000 risk management framework ensures the long-term effectiveness of risk management processes?
Continual Improvement
_______ are designed and implemented to ensure risk responses are carried out.
Control Activities
The Risk Management Process Step 4: Risk Response _______ is the risk that controls fail to effectively manage controllable risks.
Control Risk
The Risk Management Process Step 4: Risk Response What defines actions taken by management to manage risk and ensure risk responses are carried out?
Controls
_______ are the organization's essential beliefs about what is acceptable or unacceptable.
Core Values
One of the factors considered in selecting and implementing risk responses is that the _______ and _______ should be proportionate to the severity of the risk and its priority.
Costs, Benefits
Value is eroded when: A. The benefits obtained from the resources used exceed their costs. B. The value of resources used is sustained. C. Benefits are transferred to stakeholders. D. Management's strategy does not produce expected results or management does not perform day-to-day tasks.
D. Management's strategy does not produce expected results or management does not perform day-to-day tasks.
Management considers risk appetite for all of the following reasons except: A. Aligning with development of strategy B. Aligning with business objectives C. Implementing risk responses D. Setting risk capacity
D. Setting risk capacity Explanation: Risk appetite consists of the types and amount of risk the entity is willing to accept in pursuit of value. Risk appetite should be considered in: 1. Aligning with development of strategy 2. Aligning with business objectives 3. Prioritizing risks 4. Implementing risk responses Risk capacity is the maximum amount of risk an entity is able to assume. Management considers risk capacity in setting risk appetite.
What defines raw facts collectible for analysis, use, or reference?
Data
_______ practices help ensure that risk information is useful, timely, relevant, and of high quality.
Data Management
The COSO ERM framework provides a basis for coordinating and integrating all of an organization's risk management activities. Effective integration improves _______ and enhances _______.
Decision Making, Performance
At what level in the Capability Maturity Model are standards developed?
Defined Level
What do operating structures do?
Describe how the entity is organized and carries out its day-to-day operations
Which component of the ISO 31000 risk management framework ensures a foundation is established for effective risk management processes?
Design of a Framework
Within the ISO 31000 framework, _______ is the process that identifies and understands the external and internal factors that will influence the organization's risk management. This element also considers the organization's risk appetite and risk tolerance levels.
Establishing the Context
The Risk Management Process Step 2: Risk Identification Risk identification should be performed at what level of the entity relevant to the identified contexts?
Every Level (Entity-Level, Division Level, Business Unit Level)
An organization may designate a risk officer as a centralized coordinating point to do what?
Facilitate risk management across the entire enterprise
The COSO ERM Framework consists of _______ interrelated components. _______ principles are distributed among the components.
Five, Twenty
The following principles relate to what supporting aspect component of the COSO ERM framework? 1. The board exercises risk oversight 2. The organization establishes operating structures 3. The organization defines the desired culture 4. The organization demonstrates commitment to core values 5. The organization attracts, develops, and retains capable individuals
Governance and Culture
_______ sets the organization's tone and establishes responsibilities for ERM. _______ relates to the desired behaviors, values, and overall understanding about risk held by personnel within the organization.
Governance, Culture
The internal audit activity also has a consulting role in _______, _______, and _______ risk management methods and controls.
Identifying, Evaluating, Implementing
_______ is the result or effect of the risk. This may be positive or negative.
Impact
Risk is measured in terms of _______ and _______.
Impact, Likelihood
Which component of the ISO 31000 risk management framework assists the organization to achieve its objectives?
Implementing Risk Management
Which operating structure determines how the entity operates?
Legal Structure
_______ is the possibility that an event will occur. This may be expressed qualitatively, quantitatively, or in terms of frequency.
Likelihood
At what level in the Capability Maturity Model are performance measures defined?
Managed Level
Who ensures that sound risk management processes are functioning?
Management
Who has overall responsibility for ERM and is generally responsible for the day-to-day managing of risk, including the implementation and development of the COSO ERM framework?
Management
Who is responsible for clearly defining roles and responsibilities in an organization?
Management
Who is responsible for defining the human capital necessary (the needed competencies) to achieve strategy and business objectives within an organization?
Management
Who is responsible for implementing controls to ensure reports are accurate, complete, and clear?
Management
Within the ISO 31000 framework, who is responsible for setting the organization's risk attitude, which is defined by ISO as an "organization's approach to assess and eventually pursue, retain, take, or turn away from risk." They are also responsible for identifying and managing risks?
Management
Which operating structure establishes reporting lines, roles, and responsibilities?
Management Structure
Which component of the ISO 31000 risk management framework ensures that risk management processes are consistent with the organization's objectives and sufficient resources have been committed toward its success?
Mandate and Commitment
Within the ISO 31000 framework, _______ is the process that evaluates whether the risk treatments are effective.
Monitor and Review
Which component of the ISO 31000 risk management framework assesses the effectiveness of risk management processes?
Monitoring and Review
Risk is assessed at what level of the organization and linked to the related strategy and business objective?
Multiple Levels (e.g., entity, division, operating unit, and function)
The Risk Management Process Step 2: Risk Identification Risk identification should consider _______ and _______.
Past Events, Future Possibilities
The following principles relate to what common process component of the COSO ERM framework? 1. The organization identifies risks that affect the performance of strategy and business objectives 2. The organization assesses the severity of risk 3. The organization prioritizes risks at all levels 4. The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated 5. The organization develops and evaluates its portfolio view of risk
Performance
A _______ system typically consists of the following: 1. Performance standards 2. Criteria on how standards can be satisfied 3. A method of comparing actual performance with each standard 4. A method of recording and reporting performance and improvements in performance 5. Periodic independent verification of management's assessment
Performance Measurement System
A critical aspect of the maturity model approach is that risk management performance and progress in executing the risk management plan should be linked with a _______.
Performance Measurement System
Which risk view is a composite view of risks that relates to entity-wide strategy and business objectives and their effect on entity performance?
Portfolio View (Full Integration)
_______ means the components, principles, and controls exist in the design and implementation of ERM to achieve objectives.
Present
The first line of management accountability consists of the _______. They manage performance and risks taken to achieve strategy and objectives.
Principal Owners of Risk
ISO 31000 is a _______ approach to risk management.
Principles-Based
The Risk Management Process Step 3: Risk Assessment and Prioritization What is the quantitative method for risk assessment?
Probabilistic Models
Within the ISO 31000 framework, the _______ assurance approach evaluates whether the seven risk management elements have been put into practice.
Process Element
One of the factors considered in selecting and implementing risk responses is that they should bring risk within _______ and result in performance outcomes within _______.
Risk Appetite, Tolerance
_______ is when action is taken to accept increased risk to improve performance without exceeding acceptable tolerance.
Pursuit
Which method used to assess risk is more efficient and less costly?
Qualitative
Benchmarking, scenario analysis, and stress testing are all what type of method for evaluating how changes in risk may affect the portfolio view of risk?
Qualitative Method
The Risk Management Process Step 3: Risk Assessment and Prioritization Risk assessment methods may be _______ or _______.
Qualitative, Quantitative
Risk appetite may be expressed _______ or _______. But it should reflect how risk assessment results are expressed.
Qualitatively (e.g., low, moderate, high), Quantitatively (e.g., as a percentage of a financial amount)
Which method used to assess risk is more precises?
Quantitative
Statistical analysis is what type of method for evaluating how changes in risk may affect the portfolio view of risk?
Quantitative Method
At what level in the Capability Maturity Model are basic processes established?
Repeatable Level
The purpose of _______ is to support personnel in their: 1. Understanding of the relationships among risk, culture, and performance 2. Decision making related to setting strategy and objectives, governance, and day-to-day operations
Reporting
_______ combines qualitative and quantitative risk information, with greater emphasis on information that supports forward-looking decisions.
Reporting
The following principles relate to what common process component of the COSO ERM framework? 1. The organization identifies and assesses changes that may substantially affect strategy and business objectives 2. The organization reviews entity performance results and considers risk 3. The organization pursues improvement of ERM
Review and Revision
What must be considered in setting strategy, business objectives, performance targets, and tolerance?
Risk
_______ is the possibility that events will occur and affect the achievement of strategy and business objectives.
Risk
Within the ISO 31000 framework, _______ is the process that considers the impact and likelihood of each risk.
Risk Analysis
Communications between management and the board should include continual discussions about _______ to support ERM.
Risk Appetite
The Risk Management Process Step 4: Risk Response Each organization selects risk responses that align risks with the organization's _______.
Risk Appetite
The organization considers its mission, vision, culture, prior strategies, and risk capacity to set its _______.
Risk Appetite
_______ consists of the amount and types of risk that organization is willing to accept in pursuit of value.
Risk Appetite
Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's _______. (Implementation Standard 2120.C2)
Risk Management Processes (Implementation Standard 2120.C2)
_______ are monitored through ongoing management activities, separate evaluations, or both. (Interpretation of Standard 2120)
Risk Management Processes (Interpretation of Standard 2120)
The Risk Management Process Step 3: Risk Assessment and Prioritization _______ is a method of risk assessment and prioritization. This method ranks and validates risk priorities when setting the priorities of engagements in the audit plan.
Risk Modeling
What governance function is most effective when the board: 1. Has the necessary skills, experience, and business knowledge to understand the organization's strategy and industry and maintain this understanding as the business context changes 2. Is independent of the organization 3. Determines whether ERM capabilities and practices enhance value 4. Understands the organizational biases influencing decision making and challenges management to minimize them
Risk Oversight
_______ is a composite view of the types, severity, and interdependencies of risks related to a specific strategy or business objective and their effect on performance.
Risk Profile
In which risk view are risks linked to the business objectives they affect, and any dependencies between objectives are identified and assessed?
Risk Profile View (Partial Integration)
The Risk Management Process Step 4: Risk Response Example: A company has a fear of their systems being penetrated so they try to maintain an effective information security function within the entity in response. What type of risk response is this?
Risk Reduction
The Risk Management Process Step 4: Risk Response Which risk response is another term for mitigation?
Risk Reduction
The Risk Management Process Step 4: Risk Response _______ lowers the level of risk associated with an activity.
Risk Reduction
_______ is an action taken to bring identified risks within the organization's risk appetite.
Risk Response
The Risk Management Process Step 4: Risk Response _______ are the means by which an organization elects to manage individual risks.
Risk Responses
The Risk Management Process Step 4: Risk Response _______ accepts the risk of an activity.
Risk Retention
One of the factors considered in selecting and implementing risk responses is that risk response should reflect _______.
Risk Severity
The Risk Management Process Step 4: Risk Response Insurance, hedging, entering into joint ventures, outsourcing an activity, and contractual agreements with customers, vendors, or other business partners are all examples of what type of risk response?
Risk Sharing
The Risk Management Process Step 4: Risk Response _______ transfers some loss potential to another party.
Risk Sharing
Within the ISO 31000 framework, _______ is the process that decides on an appropriate risk response (avoid, share, reduce, or accept) that is consistent with the organization's risk appetite.
Risk Treatment
In which risk view are risks identified and assessed and the emphasis is on the event, not the business objective?
Risk View (Minimal Integration)
The Risk Management Process Step 5: Risk Monitoring Analyzing _______ and _______ are among the normal responsibilities of internal auditors.
Risks, Responses
Risk management is a key responsibility of who?
Senior Management and The Board
_______ communicates how the organization will achieve its mission and vision and apply its core values.
Strategy
_______ should be changed if it fails to create, realize, or preserve value.
Strategy
The following principles relate to what common process component of the COSO ERM framework? 1. The organization analyzes business context and its effect on the risk profile 2. The organization defines risk appetite 3. The organization evaluates alternative strategies and their effects on the risk profile 4. The organization establishes business objectives that align with and support strategy
Strategy and Objective Setting
What type of data are generally well organized and easily searchable (e.g., spreadsheets, public indexes, or database files)?
Structured Data
The second line of management accountability consists of the _______. This level of management provides guidance on performance and ERM requirements, evaluates adherence to standards, and challenges the first line to take prudent risks.
Supporting (Business-Enabling) Functions (Risk Officer or Centralized Coordinator)
_______ is the risk the entity prefers to assume knowing that management has acted or will act to alter its severity.
Target Residual Risk
Who determines that risk management processes are in place, adequate, and effective?
The Board
Who provides risk oversight of ERM culture, capabilities, and practices?
The Board
Within the ISO 31000 framework, who is responsible for overseeing risk management and has overall responsibility for ensuring that risks are managed and the risk management system is effective?
The Board
Who is responsible for defining culture in an organization?
The Board and Management
_______ approves the risk appetite, and _______ communicates it throughout the organization.
The Board, Management
What defines the culmination of risk identification, assessment, prioritization, and response?
The Full Portfolio View of Risk
Which framework uses the following eleven principles that are the foundation for an effective risk management process? Risk Management: 1. Creates and protects value 2. Is an integral part of organizational processes 3. Is part of decision making 4. Explicitly addresses uncertainty 5. Is systematic, structured and timely 6. Is based on the best available information 7. Is tailored to each organization 8. Considers human and cultural factors 9. Is transparent and inclusive 10. Is dynamic, repetitive and responsive to change 11. Promotes continuous improvement
The ISO 31000 Framework
_______ determines that the risk management methods chosen are comprehensive and appropriate for the organization.
The Internal Audit Activity
Definition: Culture (In regard to Enterprise Risk Management)
The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.
Definition: Enterprise Risk Management
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to management risk in creating, preserving, and realizing value.
What are the following procedures related to in regards to risk management? 1. Organizational objectives support and align with the organization's mission 2. Significant risks are identified and assessed 3. Appropriate risk responses are selected that align risks with the organization's risk appetite 4. Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities (Interpretation of Standard 2120)
The internal auditor's assessment of the risk management process (Interpretation of Standard 2120)
The Risk Management Process Step 4: Risk Response Definition: Risk Appetite
The level of risk the organization is willing to accept.
The Risk Management Process Step 5: Risk Monitoring Who is in the best position to monitor the effects of the chosen risk response strategies?
The manager of an operating unit
Definition: Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Internal auditors review risk assessments by senior management, external auditors, and regulators. What is the purpose of this?
To learn how the organization identifies, addresses, and determines the acceptability of risks.
_______ is the range of acceptable variation in performance results.
Tolerance
True/False: The internal audit activity may gather the information to support their assessment of the risk management process during up to five engagements. The result of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. (Interpretation of Standard 2120)
True/False: False The internal audit activity may gather the information to support their assessment of the risk management process during multiple engagements. The result of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. (Interpretation of Standard 2120)
True/False: The board should ensure management of its risks and monitor all corrective actions.
True/False: False The internal audit activity should ensure management of its risks and monitor all corrective actions.
The Risk Management Process Step 3: Risk Assessment and Prioritization True/False: The risk assessment process is a formal process.
True/False: False The risk assessment process may be formal or informal.
True/False: When the components, principles, and supporting controls are present and functioning, ERM is expected to manage risks effectively and to help create, preserve, and realize value.
True/False: False When the components, principles, and supporting controls are present and functioning, ERM is reasonably expected to manage risks effectively and to help create, preserve, and realize value. *It is not guaranteed to manage risks effectively.
True/False: Quantitative methods are more precise than qualitative methods for assessing risk.
True/False: True
True/False: The internal audits role in risk management may range from no role; to auditing the process as part of the audit plan; to active, continuous support and involvement in the process; to managing and coordinating the process.
True/False: True
True/False: When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. (Implementation Standard 2120.C3)
True/False: True (Implementation Standard 2120.C3)
In contrast with the ISO 31000 principles-based approach, the _______ framework emphasis is on internal control, the assessment of its effectiveness, and risk analysis.
Turnbull Risk Management Framework
What type of data are unorganized or lack a predefined pattern (e.g., word processing documents, videos, photos, or email messages)?
Unstructured Data