Risk Strategy and Governance

Questions and Answers

Which of the following is the BEST description of a Risk Management Framework (RMF)?

• A structured approach used to oversee and manage risk for an organization. (correct)
• A collection of insurance policies designed to protect an organization from all potential losses.
• A software application used to automate risk assessment and mitigation processes.
• A legal document outlining the responsibilities of the risk management team.

According to ISO 31000, which element is essential for managing risk?

• Guaranteeing complete elimination of all risks.
• Continually improving risk management. (correct)
• Establishing a rigid, unchanging framework.
• Focusing solely on internal risks.

Which of the following BEST describes the activities harnessed by an organization's risk management framework, according to the Orange Book?

• To identify and manage uncertainties and prepare responses. (correct)
• To exclusively focus on compliance with regulatory standards.
• To ignore uncertainties and assume successful responses.
• To delegate risk management to external consultants.

Which of the following is NOT a stated objective of COSO's mission?

Eliminating all business risks. (B)

Within the COSO ERM framework, which component emphasizes the importance of understanding both internal and external factors and their impact on risk?

Risk, Strategy, and Objective-Setting. (D)

Which component of the COSO ERM framework focuses on aiding the organization in decision-making and achieving strategic goals?

Risk in Execution (B)

According to the ISO 31000:2018 Risk Management standard, what are the three major segments it is divided into?

Principles, Framework, and Process. (B)

In the context of ISO 31000, what is the PRIMARY goal of 'Communicating and Consulting' within the Risk Management process?

To ensure all stakeholders are informed and understand risks. (B)

Which element is MOST important to define when establishing the 'scope' of Risk Management activities?

What activities are covered and not covered. (C)

What does Risk Analysis primarily aim to comprehend?

The nature of risk, characteristics and effectiveness of controls. (C)

What is the PRIMARY purpose of Risk Evaluation in the context of Risk Management?

To support decision-making related to Risk Treatment. (D)

When selecting Risk Treatment options, what should an organization consider in addition to direct and indirect costs?

Potential socio-economic benefits. (B)

Why is 'Monitoring and Reviewing' a CRUCIAL step in the Risk Treatment process?

To improve process effectiveness and address unintended consequences. (B)

Risk Management policies primarily aim to:

Identify key risk events impacting business objectives. (D)

Which of the following is a GUIDING principle for effective Risk Policies?

Making employees aware of risks in their domain. (D)

What is the BEST description of Enterprise Risk, as opposed to a silo approach?

Addressing the full spectrum of an organization's risks. (C)

How does Enterprise Risk Management (ERM) help an organization?

By identifying strategic risk opportunities. (A)

In developing an ERM program, the 'Business strategy and objectives' component is a step in integrating ERM and:

Business goals. (D)

What does 'Risk Appetite' define in the context of Enterprise Risk Management?

The amount of risk an organization is willing to accept. (A)

In ERM, what does 'Risk Culture' primarily concern?

The values, attitudes, and practices followed in an organization. (A)

What is the significance of 'internal controls' in Enterprise Risk Management?

Internal controls reduce inherent risk to residual risk. (B)

What is the MAIN objective of integrating Business Continuity Plans (BCP) with Enterprise Risk Management (ERM)?

To achieve strategic objectives and resilience. (C)

What are the G20/OECD Principles of Corporate Governance designed to do?

Help policy makers evaluate and improve corporate governance frameworks. (D)

What should a corporate governance framework promote?

Transparent and fair markets. (C)

According to guidelines, what rights should basic shareholder rights include?

The right to convey or transfer shares. (C)

Why is it important to allow shareholders to consult with each other on issues concerning their basic shareholder rights?

To prevent abuse. (C)

What mechanism helps ensure that stock markets contribute to good Corporate Governance?

Fair and efficient price discovery. (B)

What key aspect is required for ethical risk management practices regarding transparency and disclosure?

Transparently communicating risks to all stakeholders. (B)

Which of the following BEST describes the ethical dimension of 'Fairness and Equity' in risk management?

Treating all stakeholders fairly and equitably. (D)

What does the ethical dimension of 'Integrity and Honesty' primarily involve in risk management?

Accurately presenting risk probabilities and impacts. (A)

Flashcards

Risk Management Framework (RMF)

A structured approach used to oversee and manage risk for an organization.

The Orange Book Definition of RMF

A risk management framework emphasizes identifying and managing uncertainties for preparedness.

COSO Mission

Offers guidance on internal controls, risk management, governance, and fraud deterrence.

Risk Governance and Culture

Effective risk oversight depends on understanding entity's strategy and industry landscape.

Risk, Strategy, and Objective-Setting

Integrates ERM to understand internal/external variables and their risk impact.

Risk in Execution

ERM methodologies aid decision-making and attaining strategic/business goals.

Risk Information/Communication Reporting

Management uses internal/external data to strengthen ERM practices.

Monitoring Enterprise Risk Management Performance

Monitors ERM implementation's effectiveness and component functionality.

Principles (ISO 31000:2018)

Foundation for managing risks; principles should be considered when establishing the organization's risk management framework and processes.

Framework (ISO 31000:2018)

Needs to assist the organization to integrate Risk Management with all the activities and functions of the organization.

Risk Management Process

Involves communicating, defining scope, risk assessment, treatment, and monitoring.

Risk Management Framework

Mechanism for identification of risk that could impact an organization

Risk Assessment

Mechanism for assessment of risks identified.

Risk Mitigation

Preparation to mitigate or control the risks identified.

Risk Treatment Options Selection

Organizations should determine how best to respond to identified risks, balancing costs and benefits.

Risk Assessment Process

Involves identifying, analyzing, and evaluating new, emerging, and changing risks.

Risk Treatment

Should be deployed for all identified risks.

Risk Management Policies

To identify key risk events impacting the business objective and ensure timely evaluation, reporting and monitoring of key business risks.

Risk Policies

Business value is protected and prevent from uncertainties especially black swan event.

Dynamic Risk Management

RM is a coordinated or pre decided activity meant to direct and control challenges or threat faced by any organization to achieve its goals and objectives.

Enterprise Risk

Enterprise Risk embodies into corporate strategies the risk profile that arise due to various factors that arises an account of various factors.

Independent Directors

The integrity of financial information and that financial controls and the systems of risk management are robust and defensible.

Adequacy of Internal Financial Controls

Board of Directors to report on adequacy of internal financial controls with reference to financial statement.

What is SA 315

SA 315 “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment

Auditor's objective of SA 315

The auditor is to identify and assess the risks of material misstatement, whether due to fraud or error.

Ethical Risk Management

Transparency involves communicating risks to stakeholders.

Fairness and Equity Risk Managment

Requires treating all stakeholders fairly and equitably.

Responsibility in Risk Management

Taking responsibility for identifying, assessing, and mitigating risks.

Sustainability in Risk

Involves considering the long-term implications of risks on sustainability

Study Notes

• Risk strategy and governance involves understanding risk management frameworks, implementing risk management policies and processes, linking enterprise risk to business, ethical dimensions, and legal, regulatory, and compliance aspects.

Risk Management Framework

• Defines a systematic approach to oversee and manage risk within an organization.
• Key components include developing mechanisms for risk identification, risk assessment, and preparation for risk mitigation or control.
• ISO 31000 Guide 73: 2009 defines Risk Management Framework as components providing foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management organization-wide.
• The Orange Book defines a risk management framework as activities harnessing identification and management of uncertainties, alongside proactively preparing successful responses.
• Paul Hopkins defines it as a set of activities that supports the risk management process.

COSO Enterprise Risk Management Framework

• Founded in 1985 as the Committee of Sponsoring Organizations of the Treadway Commission, it aimed to fund and oversee the National Commission on Fraudulent Financial Reporting.
• Five member organizations include the American Accounting Association, The American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and The Institute of Management Accountants.
• COSO issued the Enterprise Risk Management—Integrated Framework in 2004 as a widely accepted standard.
• The framework addresses the evolution of enterprise risk management and the need to improve risk management approaches due to the complexity of risk.
• The document, Enterprise Risk Management—Integrating with Strategy and Performance, emphasizes strategy-setting and performance.
• Offers guidance to improve internal controls, risk management, governance, and fraud deterrence.

Components of COSO's Framework

• Risk Governance and Culture involves effective risk oversight by the board, understanding strategy, and industry landscape.
• The board plays a vital role in risk governance and influences ERM practices.
• Risk, Strategy, and Objective-Setting involves integrating ERM for understanding internal and external variables, determining risk appetite with strategy formulation, with business objectives translating strategy into actionable plans.
• Risk in Execution focuses on ERM methodologies for decision-making and achieving strategic goals, resembling traditional risk management but incorporating a Risk Portfolio perspective, which identifies, evaluates, and ranks risks based on their potential impact.
• Risk Information concentrates on data from internal and external channels to improve ERM practices, using information systems to collect, analyze, and manage data effectively and reporting on risk, culture, and performance.
• Monitoring Enterprise Risk Management Performance provides valuable insights into the effectiveness of ERM implementation and component functionality over time.

ISO 31000:2018

• The International Organisation for Standardisation (ISO) sets international standards, promoting industrial and commercial standards worldwide.
• The ISO 31000:2018 Risk Management standard divides into Principles, Framework, and Process.

ISO 31000 Principles

• Principles are the basis for managing risk, essential when establishing an organization's risk management framework.
• They enable an organization to achieve its objectives, with the core principle of "Value creation and Protection".
• Risk Management creates value for both internal stakeholders like management and shareholders, and external stakeholders like customers.

ISO 31000 Framework

• The framework integrates risk management into all organizational activities and functions.
• Framework development includes integrating, designing, implementing, evaluating, and improving risk management.
• It should be customized to fit the organization's needs and demands.

ISO 31000 Process

• Involves communication and consultation across the organization with internal and external stakeholders with communication throughout all risk management stages. -This should facilitate stakeholder understanding and lead to informed decisions.
• Defining scope, context, and criteria involves risk management activities at all management levels which is strategic, operational, and project activity, aligning with the organization’s objectives.
• Establishing external and internal contexts and reflecting the environment is crucial for risk management.
• The organization should define and document risk considerations based on its objectives and stakeholder interests, aligned with the Risk Management Framework.
• Risk criteria needs to be dynamic, periodically reviewed, and amended.

Risk Assessment Process

• The process includes Risk Identification, Risk Analysis, and Risk Evaluation.
• Risk Identification identifies new, emerging risks impacting the organization's strategy, occurring across all management levels and functions using relevant, appropriate, and up-to-date information.
• It considers tangible and intangible sources of risk, causes, events, threats, opportunities, vulnerabilities, capabilities, and changes in external and internal contexts.
• Risk Analysis analyzes identified risks to understand the severity, nature, characteristics, sources, impacts, likelihood, controls, and effectiveness.
• Analysis should vary based on organizational levels using quantitative, qualitative techniques, or a combination.
• Risk Evaluation compares risk analysis outcomes with defined risk criteria to determine actions.
• Risk Treatment addresses identified risks through selection and implementation of risk treatment options.

Risk Treatment Options

• Selection involves cost-benefit analysis, considering socioeconomic benefits against direct and indirect costs.
• Various options based on Risk Analysis include avoiding, removing the source, changing likelihood/consequences, sharing/transferring (insurance), or retaining the risk through informed decisions.
• Selection should align with objectives, risk criteria, and resources.
• Preparing and implementing risk treatment plans involves specifying chosen treatment options, identifying implementation order, communicating plans to stakeholders, and integrating them into management processes.
• Monitoring and reviewing is to assure and improve the quality and effectiveness of process design, implementation and it should be ongoing to makes sure different treatment forms remain effective.
• Recording and reporting involves documenting and communicating through appropriate mechanisms for Risk Management activities, outcomes, supporting decision-making at different management levels.
• Factors taken into consideration include frequency, timelines, and cost.

Implementation of Risk Management Policies and Processes

• Policies aim to identify key risk events impacting business objectives, which ensures timely evaluation, reporting, and monitoring.
• Risk policies define roles/responsibilities for the board, audit committee, risk officer/owners which outline the risk management process and reporting requirements, describe the context for risk management and provide a framework for identifying, assessing, and mitigating risks.
• Further, they should assist in decision-making, align with the risk policies' key principles, base decisions on prior information and acceptance of risk, protect business value against uncertainties like Black Swan events, make employees aware of risks/measures, and be embedded in business processes.

Enterprise Risk (ERM) and Linkage to Business

• RM directs and controls challenges to achieve organizational goals.
• Enterprise Risk takes a wide approach to address the full spectrum of risks.
• ERM helps determine how corporate strategy aligns with corporate objectives and integrates the risk profile into corporate strategies.
• Applying ERM minimizes effects on earnings and growth by aligning organizational structure, processes and other elements.
• Key factors for developing ERM is an organization's structure, process, and other factors while developing adequate risk / reward benchmarks.
• ERM can help an organization in the identification of strategic risk opportunities, provide a common language on organizational problems/treatments, provide senior management up-to-date information to capital reporting disclosures, align annual performance with risk identification, and reward of upstream reporting of risk opportunities.
• It can also align initiatives with self-appraisals/control assessments, envision key risk scenarios, and monitoring financial.
• Important components include the organization's Business strategy and objectives, Risk Appetite, Culture, Data, and Internal Control.

ERM Business Strategy and Objectives

• This is first step in integrating ERM and business goals and objectives.
• The strategic objective of an organization can be achieving sustainable growth, achieve a certain Market share, shareholder’s wealth maximization, service to stakeholders, ESG etc.
• The organization assesses the level of risk it assumes when executing such strategies.
• ERM connects these strategies to challenge inaccurate or poorly based elements.

ERM Risk Appetite

• Defines the amount of risk an organization willingly accepts to achieve its goals, reflecting risk management philosophy and culture.
• Statement considers existing factors including profile, capacity attitude, and tolerance toward risk, then translated into a written form to be precise so that it could be communicated effectively.
• The risk appetite shall be continuously monitored and re-evaluated regularly.

ERM Risk Culture

• Set of values, attitudes, and practices followed in an organization to provide strong cultures resolving conflict and decision-making.

ERM Risk Data

• An effective Enterprise Risk system should assimilate, integrate, analyze and converted into reports.

ERM Internal Control

• These are important to identify inherent risk level vs the residual.

Measurement and Evaluation

• Involves ranking risk via deviation techniques.

Scenario Analysis and Planning

• Will help plan identify, assess, and manage required links.

ERM Evaluation

• Once in place, then is improved if so required.

Integration of Business Continuity Plans (BCP) and Enterprise Risk Management (ERM)

• Business Continuity Plan includes tasks that continues planning for operational elements that will resume functions during any disruptions.
• ERM and BCP share common goals like identification, assessment and managing risk.

ERM & BCP Synergies

• Program owners are commonly are the same people, even those support by different staff roles.
• Same risks typically reported to risk committees/boards by the same owners.
• ERM is related to BCP operational interruptions risks, ERM standardizes Business Impact Analysis (BIA), a base for any organizations during initial action from an interruption. This will be dependent if for one or other departments.
• A risk appetite and tolerance decision leads to an interruption on the organization.
• Approved strategies are well documents for interruptions, as actual are given feedback loop.

Governance & Ethics

• Corporate Governance is important of entities, and to implement these even in the third world countries.
• Managers realize that corporate governance is not enough to safeguard shareholders, but now due to changes in the Indian economy has greater risks in that environment to have requisite skills/caution in such boardroom elements.
• Corporate governance is key relationships (shareholders, management, board of directors) to set strategic direction.

Chartered Accountancy Role

• Chartered Accountants evolve holistic approaches on corporate governance and effective performance. This combines growth of Corporate and Enterprise Governance.
• The overall framework is that management accounts to the board, then boards to the shareholders. This will develop more in time.
• Increase in momentum is due to more regulations that imposes obligations, that may lead to legal sanction.
• Quality is for levels of assurance conducted in a manner for shareholders. If done properly shareholders/investors will gravitate to this environment to share their views.
• Governance is accountability for management, executive team under what the boards want, resources on strategic/operational in what directions. Enterprise governance is responsibilities practices done on board and executive management to see goals and achieve in strategic direction and ensure company resources. In nutshell, this addresses performance and future of the company in system controls and value. Elements of "good enterprise governance" standards are:
• Monitoring management.
• Transparency (performance, ownership).
• Decision (shareholders)
• Compliance
• Board accountability
• Planning
• Decision
• Risk Management
• Scorecards
• Enterprise systems
• Continuous
• Reactions that happen the most is major events like Enron/ high profile reporting issues.

G20/OECD GUIDELINES FOR CORPORATE GOVERNANCE

• Corporate governance sets up company, shareholder, stakeholder, and the means to monitor, and perform.
• These guidelines help improve frameworks regarding legal, economy in sustainable structure.

Ensuring the basis for an effective corporate governance framework

• The framework promotes fair/transparent markets for the fair resources that are law.
  • Developed impact and transparent markets
  • Transparent rules of law
  • Responsibilities are public
  • Regulation supporting framework
  • Supervisors fulfill professional and objective manner
  • Co-operation in exchange.

Rights & equitable treatment of stakeholders in ownership

• The framework will protect, equitability for violation, minorities as well.
• Basic stakeholder rights will have right
  • Ownership secure methods.
  • Convey/transfer.
  • Obtain information on the regular basis.
  • Meeting. Board Member (vote/elect/remove). Shares
• Shareholders know and can approve fundamental changes such as - amendments - authorize - extraordinary including all is sales company.
  • Shareholders have to actively participate meetings, and be informed to have a framework to these meetings.
    • Info being prepared before meeting.
    • Transparency is in company to have no burden, or be expensive.
    • Opportunity to ask board/externals that has resolutions that are lawful.
  • Stakeholder effectiveness participation and election for board. Being able to views with votes on pay scale as equity.
  • Being able to vote in person or absence is of equality effect.

Institutional investors, stock markets, and other intermediaries

• Provide honest chain through investment for efficient corporate governance
  • Institutional investors should report governance, procedure on how votes.
  • Votes should be taken by nominators, if in line with beneficial of shares to owner.
  • Disclose interest.
  • Advisors to decrease on integrity.
  • Manipulations, and trading.

The role of stakeholders in corporate governance

• The agreement to make wealth for corporations:
  • Rights respect.
  • Remedy action if right infringed.
  • Involvement is mechanisms.
  • Information access is fair basis.
  • Concerns should be illegal.
  • Framework with insolvency with enforcement of debt

Disclosure and transparency

• The framework involves disclosure, materiality, financials, all about the organization.
  • Objectivity for financials
  • Key owner vote.
  • pay structure for executives
  • Directors and qualification, election process, and information being unbiased.
  • Material related party transactions.
  • Well information for all, plus external auditing is effective, unbiased

Responsibilities of the board

• This involves guidance for management.
  • Act good faith, diligence, well-interest.
  • Fairly all, ethical standards, and interest from stakeholders. Including:
    • Reviewing guidance for all and planning, strategy, risk in controls and capital expenditures related.
    • Monitoring, changing effectively, when needed
    • Senior pay scales in relation to stakeholders values
    • Transparencies.
    • In conflicts due abuse
    • Accounting is proper. In order to have above occur, must have enough executives that are not tied to anything that conflict. Well-defined, evaluate, and have in effective, information and skills that are had.

Ethical dimension in Risk Management

• Ethics is involved across all domain. Dimensions involved include: - Transparency - Openly risk involved to all for investments and operations. - Fairness and Equity - Manage fairly on impact of stakeholder, not just for other classes vs others. - Integrity - Be honest even in not lying vs deceptiveness. - Responsibility - Involve to hold for actions. - Conflict - Avert situation of judgement. - Sustainability - Manage change of challenges of environment and society.
• Compliance in laws, protection for areas.

Legal, Regulatory & Compliance, under the Companies Act, 2013

    - Section 134
    - Financial control
    - Section 143
    - Adequacy
    - Section 143
    - Auditing
    - Section 177 & Rules 6 & 7
    - Evaluation
     -Audit comments

Schedule IV

• Integrity is adequate, while the board reports financial vs director - Audit standard 315. Auditors access process and financial level for transactions with controls. - Test controls, likelihood to see wrong statements.

SEBI

• The Board creates risk management, with 3 with directors for voting having director and external vote equity, led by vote equity, with year meetings. That has to cover cybersecurity, to see functions. Top companies will always have these.