COSO Enterprise Risk Management Framework

Questions and Answers

Why should management prioritize risks in risk management?

• To focus on risks that pose a significant threat to business objectives, as not all risks are of equal importance. (correct)
• To address each and every risk the company might face, ensuring complete coverage.
• To reduce costs, even if it means ignoring high-impact risks.
• To streamline the risk management process without considering the impact of various risks.

The COSO Enterprise Risk Management framework includes only internal components, disregarding external factors.

False (B)

What is the primary role of the 'internal environment' component in the COSO Enterprise Risk Management framework?

The internal environment sets the tone of the company, influencing the risk and control consciousness of its people.

The top portion of the COSO cube highlights the four objectives of risk management: strategic, operational, __________, and compliance.

reporting

Match each risk response to its appropriate scenario:

Accept = Low likelihood and low impact Mitigate = High likelihood and high impact Share = Transferring risk to a third party Avoid = Discontinuing activities that give rise to the risk

What is the ultimate goal of risk response planning?

To reduce residual risk to within desired risk tolerances. (B)

Inherent risk is the risk that remains after applying management's risk responses.

False (B)

Why is it important for management to take a portfolio view of risks?

A portfolio view enables management to analyze enterprise-wide effects and interdependencies among risks.

__________ activities are specific risk mitigation policies and procedures implemented throughout the organization to ensure risk responses are properly executed.

control

Match each type of control with its description:

Preventive = Averts negative events before they occur Detective = Identifies errors or fraud that has already occurred Corrective = Rectifies errors or fraud detected

Why is information and communication a critical component of risk management?

It enables personnel to carry out their responsibilities effectively. (C)

Ongoing monitoring and separate evaluations are mutually exclusive and cannot coexist within a risk management framework.

False (B)

What should management do if significant deficiencies are identified during the monitoring of the risk management process?

Significant deficiencies must be communicated to the appropriate level of management and to the board of directors.

When assigning risk ratings, risks should be assessed in terms of __________ and impact.

likelihood

Match each qualitative risk rating with its description:

High = There is a big probability that the event will happen. Moderate = There is a moderate possibility that the event will happen. Low = There is a small chance that the event will happen.

If a risk with high likelihood and high impact is identified, what is the appropriate risk response?

Mitigate, share, or avoid the risk. (A)

If the combined risk assessment is low, management must implement strict controls.

False (B)

Provide three possible risk responses for risks that rated as 'high likelihood' and 'high impact'?

Mitigate, Share, or Avoid

Residual risk is the risk that __________ after applying management's actions.

remains

Match each component of the risk assessment template with the risk response:

Cash vaults = Mitigate Contingency funding plan = Mitigate Business continuity plan = Mitigate Standby credit lines with banks = Mitigate

What is the main objective of monitoring and testing the risk management process?

To know its effectiveness and determine whether risks are kept within the company's risk appetite. (A)

Monitoring the risk management process can only be done through ongoing activities, not through separate evaluations.

False (B)

Deficiencies in the risk management process are reported to whom?

Deficiencies or weaknesses in the process are reported to the appropriate level of management and to the board of directors.

To reiterate, __________ risk is the risk that remains after applying management's actions.

residual

Match each risk-mitigating plan to the activity:

Changing the factory layout = Inventory spoilage Opening of new flight routes = A 30% decline in the number of passengers Credit assessment of borrowers' ability to pay = A bank's operating loss could amount to $20 million

Internal control provides reasonable assurance that the objectives of the organization are __________.

achieved (A)

Internal control is an end in itself rather than a means toward achieving the objectives of the company.

False (B)

What does COSO stand for?

The Committee of Sponsoring Organizations of the Treadway Commission

The COSO cube shows the three categories of internal control objectives, namely: effective and efficient operations; reliability of financial and nonfinancial __________; and compliance with applicable laws and regulations.

reporting

Flashcards

Risk Management

Addresses risks threatening business objectives.

Risk Prioritization

Focus on significant threats to business objectives.

Risk Assessment Result

Determines appropriate risk response and controls.

Business Objectives

Strategic, operational, reporting, compliance.

Components of Risk Management

The elements that make up the risk management process.

Internal Environment

Reflects risk philosophy, risk appetite, board oversight, ethics.

Risk Awareness

Board and management understanding of risks.

Internal Environment

Is commitment to competence also part of?

Objective Setting

Precondition to event identification and risk response.

Risk Appetite

Level of risk a company can accept.

Event Identification

Identifies events affecting strategic objectives.

Risk Assessment

Considers techniques to evaluate likelihood and impact.

Inherent Risk

Susceptibility to risk without management actions.

Residual Risk

Risk remaining after applying management actions.

Risk Response

Considers alternative risk response options.

Control Activities

Implements policies and procedures.

Information and Communication

Identifies, captures, and communicates pertinent information.

Monitoring

Activities and evaluations assessing risk management.

Likelihood

Probability of the event occurring.

Impact

Magnitude of the event's consequence.

Risk Assessment

Involves assigning likelihood and impact risk ratings.

Risk Map

Graphic representation of likelihood and impact.

Control Activities

Specific risk mitigation policies and procedures.

Monitoring

Determine if components of process are effective.

Information and Communication

Ensure people are performing their responsibilities.

Internal Control

Achieving objectives, reliable reporting, compliance with laws.

Internal controls

Is for ensuring the continuous processing of transactions?

Window dressing

An inappropriate practice that requires Internal Controls

Study Notes

• Risk management is vital, or businesses risk not achieving goals, risk managers need to know these vulnerabilities.
• Addressing every risk is too expensive, so prioritize significant risks.
• Risk assessment results determine risk response and controls, part of the COSO Enterprise Risk Management framework.

Components of COSO Enterprise Risk Management

• Framework is shown as the COSO Cube.
• Top highlights four objectives: strategic, operational, reporting, compliance.
• Front identifies eight components, applied across the enterprise.
• These components make up the risk management process which include; internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication and monitoring

Internal Environment

• Reflects company's risk management philosophy, risk appetite, oversight, ethics, competence, authority, responsibility.
• It encompasses the "tone at the top" and influences governance, risk and control consciousness.
• The board and management must understand risks in order to oversee risk management effectively
• Actions like prioritizing risk management and providing resources show that the management team believes the risk is important, part of the company's risk management philosophy.
• Commitment and competence are part of it. The best process fails if people aren't competent.
• Personnel must have integrity and ethics.

Objective Setting

• A precondition to identifying, assessing ,and responding to risk. Without objectives, identifying risks becomes impossible
• Management sets strategic objectives for operational, reporting, and compliance objectives.
• These are formulated within the company's risk appetite, or acceptable risk level.
• Objectives must be in line with risk appetite by limiting strategic objectives that expose risk beyond the risk appetite. For example limiting the establishment of new branches based on debt ratio tolerance

Event Identification

• Managment identifies potential internal or external events that affect the company’s ability to achieve objectives, these may be positive or negative
• Negative events are risks, positive events are opportunities management channels them back to the objective setting process
• Identification may involve workshops, sessions, and brainstorming.
• The goal is to identify a comprehensive list of risks that may affect the company.

Risk Assessment

• Management assess different techniques and data to assess likelihood and impact, the assessments range from high, moderate or low.
• Inherent and residual risks will also be assessed, it is susceptibility of the company to a risk in the absence of any actions management might take to alter the risk’s likelihood or impact. These risks result from the nature of the company’s operation
• After applying management responses the risk that remains is residual risk
• Management must evaluate whether the residual risk is within the company’s risk appetite.

Risk Response

• Management considers options and their effect on risk likelihood and impact.
• The goal is to reduce residual risk to within tolerances.
• Planning determines risk mitigation policies and controls.
• Managment must be able to assess risk on an enterprise-wide basis across different functions, resulting in a a portoflio view of the risk
• Portofolio view enable managent to analyze enterprise-wide effects

Control Activities

• Management puts in place specific risk mitigation policies and procedures throughout the organization, at all levels and in all functions, for proper execution.
• Activities must be integrated with risk response, and the risk response must be integrated with risk assessment.
• The different control activity types such as preventive, detective, and corrective controls.

Information and Communication

• The company identifies, captures, and communicates pertinent information from internal and external sources so personnel can carry out their responsibilities.
• The personnel will not be able to correctly perform their function without correct internal and external communication, and inbound and outbound communication

Monitoring

• Ongoing activities and separate evaluations assess existence and effectiveness of risk management components and quality of performance over time.
• Management should evaluate a company objectives at an appropriate level, such as the entity or level of their business unit
• Internal auditors perform separate evaluations on a periodic basis, as well performing separate evaluations to help detect any significant deficiencies

Assigning Risk Ratings

• Identified risks are assessed in terms of likelihood and impact.
• Management is most concerned with risks that have "high" likelihood and "high" potential impact
• Inherent and residual risks will also be assessed, the likelihood is the proability of the occurence of an event
• Qualitative risk rating such as "high", "moderate", or "low" or with quantitative risk scores. (0 to 5)

Assessment of Impact

• Risk has a negative impact, but the potential consequence to profit, reputation, health, environment, or other critical factor vary.
• Impact pertains to the magnitude or consequence of the event or risk to the company.
• Impact can be assessed either qualitatively or quantitatively.

Risk Maps

• Assessments of likelihood and impact can be shown on the map
• Risk ratings can be plotted on the plot
• Color coding can be used depending on the levels of risks where significant risks are generally colored red

Combined Assessments and Risk Response

Risks on it can be interpreted as:

• Low likelihood / Low impact - Since the combined risk assessent is only low, management can ordinarily accept these risks
• High likelihood / High impact- Management should make sure that these risks are addressed through implementing risk mitigation plans and specific control activities
• High likelihood / Low impact and High impact / Low likelihood Management should still exert efforts in reducing these moderate risks

Documentation of the Risk Assessment, Risk Response, and Control Activities

• Management and employees have effectively carried out operations when revenue and operating cash flow targets are achieved

Limitations of Internal Control

• Even with a good risk matrix in the appropriate range, you can be affected by the following;
• Collusion
• Management override
• Human factors
• Cost-benefit considerations

Monitoring and Testing of the Risk Management Process

• Monitoring and testing of Risk Management is used to test effectiveness and determine risks are withing the company’s risk appetite
• Managment must monitor through these actions; ongoing monitoring activities, such as routine management reviews of the processes, separate evaluations, being done by internal auditiors
• Testing is conducted by Internal auditors which results in reporting any components, and its weakness to correct level of management , and to the directors