Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
44 Cards in this Set
- Front
- Back
|
Risk management standard
|
A document published by a recognized authority that includes principles, criteria, and best practices for risk management.
|
|
|
Framework
|
A structure, including elements such as concepts, methods, procedures, and metrics, that supports the risk management process.
|
|
|
Common purpose of risk management standards
|
All of the standards share a common purpose of helping organizations assess and manage risk.
|
|
|
Similarities of risk management standards and frameworks
|
• Structured process steps
•Understanding of and accountability for defining risk appetite •Formal documentation of risks in risk assessment activities •Establishment and communication of risk management process goals and activities •Monitored treatment plans |
|
|
Select risk management standard(s) based on these criteria
|
• Adherence to controls
• Need to meet regulatory requirements (compliance) • Risk governance |
|
|
Risk governance
|
Integration of the management principles governing the organization with the risk management process
|
|
|
RIMS Risk Maturity Model (RMM)’s 7 essential attributes
|
• ERM process management
• Risk appetite management • Root cause discipline • Uncovering risks • Performance management • Business resiliency and sustainability |
|
|
How the RIMS Risk Maturity Model (RMM) works
|
Key drivers of each attribute are analyzed and measured to establish the maturity level. The organization bases its self-assessment on its performance in these attributes along a maturity continuum ranging from nonexistent at level 0 to leadership at level 5.
|
|
|
ISO 31000: 2009 risk management standard description
|
•Consists of three major parts:
–Principles: Rooted in risk management and designed to generate value and continuously scan and react to the environment –Framework: Elements based on program design, implementation, and monitoring –Processes: Emphasis on deliberative communication, context, risk assessment and treatment, and follow-up |
|
|
COSO ERM risk management standard description
|
• Focuses on threats to the organization and application of controls.
• Does not delve into details of risk management approaches and processes. |
|
|
Basel II description
|
• Issued by the Basel Committee on Banking Supervision to provide recommendations on banking laws and regulations.
• Basel II is a regulation rather than a standard. • Establishes risk and capital management rules. |
|
|
Solvency II
|
• Developed by the European Commission to provide regulatory requirements for insurance firms that operate in the European Union.
• Solvency II is a regulation rather than a standard. |
|
|
ISO 31000 scope
|
Although the standard is universally applicable, it is not intended to produce uniformity. On the contrary, its emphasis is on tailoring its process and framework to each organization.
|
|
|
Risk criteria
|
Reference standards, measures, or expectations used in judging the significance of a given risk in context with strategic goals.
|
|
|
What an organization’s risk management policy should do
|
This policy should address how the organization will identify risks and how it will measure, review, and communicate its risk management efforts.
|
|
|
ISO 31000 definition of risk assessment
|
The ISO 31000 definition of risk assessment includes• Risk identification
• Risk analysis • Risk evaluation |
|
|
Risk treatment
|
Risk treatment is the ongoing process of deciding on an option for modifying risk and whether the residual level of risk is acceptable, selecting a new risk treatment if the current one is not effective, and then repeating this assessment.
|
|
|
Elements of risk monitoring
|
• Monitoring and reviewing both internal and external changes and how these changes affect risks and their treatment should be a planned part of the risk management process.
•Monitoring should also include recording the assessments and reporting them internally and externally, as needed; determining the frequency, distribution, and method of reporting is an integral part of developing the risk management process. |
|
|
The COSO Enterprise Risk Management-Integrated Framework is designed to help an organization achieve its objectives in four categories:
|
• Strategic- high-level goals, aligned with and supporting its mission
• Operations-effective and efficient use of its resources • Reporting- reliability of reporting • Compliance--compliance with applicable laws and regulation |
|
|
The eight elements of the COSO Enterprise Risk Management-Integrated Framework
|
• Internal environment
• Objective setting • Event identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring |
|
|
Inherent risk
|
Risk to an entity apart from any action to alter either the likelihood or impact of the risk
|
|
|
Residual risk
|
Risk remaining after actions to alter the risk’s likelihood or impact
|
|
|
Internal environment component of COSO
|
Determine risk management philosophy and risk appetite, integrity and ethical values, and the operating environment. A board of directors is an important part of the internal environment with influence on the other aspects of the environment. In this component of the risk management process, senior management aligns the people, processes, and infrastructure to make it possible for the organization to stay within its risk appetite.
|
|
|
Objective setting component of COSO
|
Align risk management objectives with the organization’s mission and risk appetite. Objectives must be determined before management can identify the events that might affect their achievement.
|
|
|
Event identification component of COSO
|
Identify internal and external events that affect achievement of objectives, and distinguish between negative risk and opportunity risk. External events include economic, political, social, and technological elements. Internal factors include management decisions, people, infrastructure, processes, and technology.
|
|
|
Risk assessment component of COSO
|
Analyze risks, considering likelihood and impact. Likelihood is the possibility that a given event will occur. Impact is the effect of an event if it does occur. Risk assessment is first applied to inherent risk. After the development of risk responses, residual risk is determined.
|
|
|
Risk response component of COSO
|
Select how to respond to the risks identified, for example, by avoidance, reduction, or transfer.
|
|
|
Control activities component of COSO
|
Establish policies and procedures to carry out effective risk responses. Control activities are the policies and procedures to determine that risk responses are performed correctly.
|
|
|
Information and communication component of COSO
|
Use effective communication that flows down, across, and up the organization. An organization should use both historical and current data to have an effective risk management program.
|
|
|
Monitoring component of COSO
|
Make modifications through ongoing monitoring of the risk management process. An organization may use both internal and independent evaluations to monitor its risk management.
|
|
|
According to COSO, is risk management a serial process?
|
According to COSO, “risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional… process in which almost any component can and does influence another.”
|
|
|
According to COSO, at what level should the risk management process be applied?
|
According to COSO, the risk management process should be applied across all four levels of an organization: entity, division, business unit, and subsidiary.
|
|
|
Why are control activities a key feature of the COSO standard in comparison with other risk management standards?
|
Because COSO 2004 historically focused on financial controls and developed its risk management framework in the context of internal audits related to compliance with Sarbanes-Oxley, control activities are a key feature of this standard in comparison with other risk management standards.
|
|
|
What are control activities according to COSO?
|
Control activities are policies and procedures applied to each of the four categories of objectives—strategic, operations, reporting, and compliance.
|
|
|
According to COSO, what is the most important function of a control?
|
According to COSO, the most important function of a control is its role in achieving the objective.
|
|
|
What are the two parts of a control activity?
|
The first part is the policy that states what should be done, and the second part is the procedure to accomplish the policy.
|
|
|
What are the two types of monitoring?
|
The first type is ongoing regular monitoring by an organization’s management. The second type is period evaluations, often by internal auditors. Internal auditors can identify areas where control activities are deficient and make recommendations to improve them.
|
|
|
In what areas does Solvency II aim to achieve consistency across Europe?
|
Solvency II aims to achieve consistency across Europe in these areas:
• Market-consistent balance sheets • Risk-based capital • Own risk and solvency assessment (ORSA) • Senior management accountability • Supervisory assessment |
|
|
What are the three supporting pillars of Solvency II?
|
Pillar 1-This pillar covers all the financial requirements and aims to ensure firms are adequately capitalized with risk-based capital. It includes the use of internal models that, subject to stringent standards and prior supervisory approval, enable a firm to calculate its regulatory capital requirements using its own internal modeling.
Pillar 2-This pillar imposes higher standards of risk management and governance within an organization and gives supervisors greater powers to challenge their firms on risk management issues. The ORSA requires a firm to undertake its own forward-looking self-assessment of its risks, corresponding capital requirements, and adequacy of capital resources. Pillar 3-This pillar aims for greater levels of transparency for supervisors and the public. There is a private annual report by insurers to supervisors and a public solvency and financial condition report that increases the required level of disclosure. |
|
|
Risk-based capital (RBC)
|
Amount of capital an insurer needs to support its operations, given the insurer’s risk characteristics
|
|
|
Modeling
|
In data analysis, a system of calculating known outcomes based on current data and then applying these calculations to new data to predict future outcomes.
|
|
|
What are the three pillars of the 1999 revised Capital Adequacy Framework?
|
• Minimum capital requirements—refinement of the standardized rules in the 1988 Accord that set out specific weights for different types of credit risk, such as government bonds and mortgages. Basel II offered more sophisticated alternatives for evaluating credit risk, such as evaluations of a borrower’s credit rating. The minimum capital standard, however, remained at 8 percent.
• Supervisory—Review of an institution's internal assessment process and capital adequacy. • Disclosure—Effective use of disclosure to strengthen market discipline and complement supervisory efforts. The Basel Committee states that "Market discipline imposes strong incentives on banks to conduct their business in a safe, sound and efficient manner, including an incentive to maintain a strong capital base as a cushion against potential future losses arising from risk exposures." |
|
|
What are the goals of Basel III?
|
• Improve the banking sector's ability to absorb shocks arising from financial and economic stress, whatever the source
• Improve risk management and governance • Strengthen banks’ transparency and disclosures |
|
|
The Basel Committee states that risk management encompasses these processes:
|
The Basel Committee states that risk management encompasses these processes:
• Identifying risks to a bank • Measuring exposures to those risks where possible • Ensuring that an effective capital planning and monitoring program is in place • Monitoring risk exposures and corresponding capital needs on an ongoing basis • Taking steps to control or mitigate risk exposures, and reporting to senior management and the board on the bank's risk exposures and capital positions. |
