Enterprise Risk Management Policy

Questions and Answers

What is the primary purpose of a risk register?

To act as a vehicle for capturing all the assessment and decisions made in respect of identified risks

What is the key factor in determining whether an organization succeeds or fails in risk management?

The individual's behavior and actions

Who is responsible for making a statement on the systems of internal control in the annual report?

Board Sponsor

What is the role of the Chief Risk Officer in implementing the corporate risk policy?

Translating the board's vision on risk management

What is the primary purpose of checking compliance?

To ensure that controls are actually working as intended

What is the role of the risk policy in risk management?

To embed risk management into everyday activities

What is the primary benefit of having a risk register?

It serves as evidence of risk containment activity

What is the key factor in determining what goes into a risk register?

The perception of risk (risk appetite or risk tolerance)

What is the role of stakeholders in risk management?

They are critical to the success of risk management, as they buy-in and support the process

What is the primary goal of embedded risk management?

To make risk management a part of everyday activities

Study Notes

The Risk Policy

• A brief document that outlines the organization's position on risk management, conveying clear messages from the board.

Enterprise-Wide Risk Management

• An integrated approach to risk management across the organization, part of the strategic planning process and performance measurement system.
• Mission is translated into a strategy, implemented, and monitored through performance measures, with adjustments made as needed.

Control Self-Assessment

• Techniques for control self-assessment include:
  • Questionnaires completed by key employees to assess risk areas and controls.
  • Interviews with managers to gauge control and risk management.
  • Comprehensive reviews of high-profile areas by external consultants.

Embedded Risk Management

• A process that ensures risk is understood, identified, and managed.
• The Chief Risk Officer (CRO) helps coordinate these efforts.

Statement of Internal Control (SIC)

• A formal publication that outlines risk efforts and ensures controls are in place.

Managing Risk

• Internal auditing is an independent, objective assurance and consulting activity that adds value and improves operations.
• Helps an organization accomplish its objectives by evaluating and improving risk management, control, and governance processes.

What is Risk?

• Risk is a choice rather than a fate, derived from the Italian word "risicare," meaning "to dare."
• Risk arises from uncertainty, and controls are based on reducing this uncertainty.
• Risk is measured in terms of consequences and likelihood.

Risk Registers and Appetites

• Risk registers capture assessments and decisions made about identified risks.
• May form part of the assurance process, supporting the statement of internal control.
• The risk register records stages and ends with a record and action plan.

Risk Policy

• Board sponsor makes a statement on the system of internal control in the annual report.
• People buy-in is essential, as individual behavior determines an organization's success or failure.
• The Chief Risk Officer directs the effort, sets up systems, and embeds the risk policy into everyday activities.

Description

This quiz covers the risk policy document that outlines an organization's risk management position with a focus on integration with strategic planning and performance measurement.