Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
75 Cards in this Set
- Front
- Back
|
How does Nicholson and Turner (2010) define strategic management (and as such the operation style of risk management)? page 6 |
"Strategic management is the art of defining where you want to go and then making sure you get there. It requires a continuous process of reinvention, so that the goals are pushed further into the future the more closely they are within reach. There is always a drive towards improvement and greater success." |
|
|
Define risk management. page 6 -7 |
A structured approach to addressing the full range of risks faced by an organization by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being manged effectively. |
|
|
How does the IIA define 'risk' as of 2013? page 7 |
The possibility of an event occurring that will have an impact (good or bad) on the achievement of objectives. Risk is measured in terms of impact and likelihood. |
|
|
How does the Inernaltional Standards Organization (IOS) define risk as within the risk management standard ISO 31000? page 7 |
The change of something happening that will have an impact on objectives. or The effect of uncertainty on objectives. |
|
|
Risks are not weaknesses why? page 7 |
A weakness is a flaw or a porpensity for something to go wrong while an issue describes something that has gone wrong. RISKS ARE ABOUT THE FUTURE. |
|
|
Define risk analysis and key risks. page 8 |
Risks (both current and emergent) must be identified and assessed for relevance to the organization, its context, and its objectjecties, and eveluated, leading to a determination of the key risks -- the ones requirinng most urgent attention by management. |
|
|
Risk Response page 8 |
There are a number of ways to respond to identified risks, dependingon the risk appetite, available resources, and perceived priorities. |
|
|
Monitoring page 8 |
The potential for change requires routine monitoring with regard to: -system of internal controls and other responses to determine relevant (good/opporutnity or risk/issue) -Changes -Strategy adjustments which can change risk relevece |
|
|
Reporting page 8 |
Management and the board (directly or via the audit committee or other similar b ody such as a risk committee or combo audit and risk committee) will require updates and assurance on the risk profile of the orgnaization and its state of preparedness with respect to internal controls. |
|
|
Risk severity page 8 |
The product of liklihood and impact of a risk. Typically performed during the analysis phase. |
|
|
What are the 6 Risk Management Processes as drescribed in COSO, 2004? page 9 |
1. Aligning risk appetite and strategy 2.Enhancing risk responses decisions 3. Reduring operational surpises and losses 4. Identifying and managing multiple and cross-enterprise risks 5. Seizing opporturnities 6. Improving deployment of captial |
|
|
How does COSO define Enterprise page 9 |
A process, effected by an entity's board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement o entity objectives. |
|
|
How does the IIA's paper, Role of Internal Auditing in Enterprise Risk Management, define Enterprise Risk Management (ERM)? page 9 |
A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opporutnities and threats that affect the achievement of iths objectives. |
|
|
Define Risk Management framework. page 9 |
The sum total of the arrangement by which risk management operates. |
|
|
What does COSO have to say about risk management in regards to the organizations objectives? page 10 |
"Enterprise risk management is not an end in itself, but rather an important means to achieving objectives. It does not operate in isolation in an entity, but rather is an enabler of the management process. Enterprise risk management is interrelated with corporate governance by providing info to the board of directors on the most significant risks and how they are being managed." |
|
|
ISO 31000 page 11 |
"A systematic, timely, and structured approach to risk management contributes to efficienccy and to consistent, comparable, reliable resultss." |
|
|
What are risk management process objectivies likely to include? page 11 |
-Contribut to long-term org survival - Max the value to stakeholders - Link growth, risks, return - Safeguard the assets and org rep - Facilitate greater operational effectiveness and efficiency - Increase likelihood of achieving objectives, etc. Basically, reduce uncertainty/volatility with continued growth and stakeholders in might |
|
|
Describe the cyclical nature of Risk management. Think continuous improvement. page 12 Figure I.2 |
Risk management uses monitoring as a feedback loop to maintain alignment with strategic objectives, ipmrove the effectiveness of identification and response, and continually raise the level of risk maturity. 1. Set Risk appetite 2. Identify risks 3. Analyze Risks 4. Agree with management's risk response 5. Supervise implementation of response 6. Monitor and report 7. Review (for improvement areas) 8. Increase risk maturity 9. Start all over with step 8 in mind. |
|
|
What are the requirements for Effecitive Risk Management? page 12 Figure I.3 |
- Risk management exists to serve the organization, not vice versa - It needs sto be enterprise wide - It requires a coordinated andd consistent framework. - It is NOT designed to be a break on ambition - It need to be cyclical and iterative. (circle/repetive) |
|
|
Define Risk maturity page 13 |
A measure of the level of risk culture. |
|
|
Define Risk culture (Farrell and Hoon, 2009) page 13 |
An organizations overall attitude and approach to dealing with risks - either more or less mature or risk aware. "The system of values and behaviors present throughout an organization that shapes risk decision.s Risk culture influences the decisions of management and emplolyees, even if they are not consciously weighing risks and benefits" |
|
|
What are the 10 essential parts of a successful risk culture per the Institure of Risk Management (2012) (IRM)? page 13 |
1. Leadership and commitment from the highest levels of the organization 2. Adherence to ethical principles and concern for all steakholders 3. Org-wide recognitition of the need for effective risk management 4. Access to reliable info related to all risk 5. Active encouragement to share info when things go wrong for lessons learned 6. Application of risk management to all activities, even those considered to be complex, remote, or too hard to understand 7. Encouragement and rewared for appropriate risk-taking as well as sanction for reckless or negligent approahes 8. Access to support and resources for the development of risk management skills 9. Acceptance of multiple perspectives to challenage the approaches adopted 10. Alignment of risk culture with the org culture |
|
|
Define Risk capacity page 14 |
Reflects the ability to accept risk as a consequence of the skills and resources aqta the organization's disposal. |
|
|
What are the levels of Risk Maturity page 14 |
|
|
|
Define risk tolerance. page 15 |
Relates to risk appetite but differs in one fundamental way; risk tolerance represents the APPLICATION of risk appetite to specific objectives. This is not board, but tactical and operational and guides operating units as they implement risk appetite within their individual sphere of operation. ACCEPTABLE VARIANCE from risk appetite |
|
|
What are the benefits of defining risk appetite? page 17 |
- Provides risk management strating point - Enables a clear expression of the objective for risk management to manage residual risk within risk appetite. - Can be readily communicated and shared. - Confirms a common purpose and facilitates an enterprise wide and embedded approach - May serve as part of the evidence base for critical decisions. -Facilitates the development of resources toward those areas where residual risk remains high` |
|
|
Define risk profile. page 18 |
The overall picture of risk across a range of categories (think definition, impact, likelihood, "score") or classification of risks. Create a target profile and an actual profile to identify areas that require additional mitigation. |
|
|
Explain the approach to Risk Appetite (adapted from Barfield) page 18 |
|
|
|
Describe the McKinsey 7S model listing 7 interplaying dimensions between internal and external environments. page 20 |
"Soft elements" = less tangible and more difficult to change "Hard elements" = readily grasped and manipulated by management "Shared Values" = emphasize the importance of collective goals and a common sense of purpose |
|
|
What does the IIA Practice Advisory 2320-2 have to say about root cause analysis? page 21 |
'Without the performance of an efective root cause analysis and the appropriate remediation activities, an issue may have a higher probability to reoccur. Root cause analysis helps prevevnt additional reqork and proactively addresses future recurrences of the issue(s). Root cause analysis may be considered in any number of situations, suchc as those involving a surprise risk event, process failure, asset damage or loss, production stoppage, safety invident, quality degradation, or customer dissatisfaction. It is important to recognize that there are often muliple related or unrealated causes of an issue. " basically without root cause, you may be putting a bandaid on a shotgun wound |
|
|
How does the Institure of Business Ethics (2013) define 'business ethics'? page 22 |
'The application of ethical values to business behavior. It applies to any and all aspects of business conduct, from boardroom strategies and how companies threat their employees and suppliers to sales techniques and accounting practices. Ethics goes beyond the legal requirements for a company and are, therefore, about discretionary decsions and behavior guided by values. Business ethics are relvent both to the conduct of indviduals and to the conduct of the organization as a whole." How the company (or those that represent the company) CHOOSES to act and conduct business |
|
|
What is a code of ethics? page 23 |
Staff guidelines for instilling ethical behavior. |
|
|
Since policies and codes of ethics are merely a statement of intent how can organizations dsupplement the values and codes to gain real benefit? page 23 |
- Tone at the top - Reminders that are clear and consistent - Integration of ethics into strategic planning and operational delivery - Training and development linked to ethical matters. - Involvement of state in the development and implementation of ethical frameworks. |
|
|
What are the 3 overall roles codeds of ethical behavior and organizational values play? page 24 |
1 - Define and clarify ethical expecations 2 - Help demonstrate ethical leadership from the top down as the top usually communicates them 3 - Codes/ethics should help resolve ethical dilemmas |
|
|
What are the 4 "V"s of the 4V model developed by the Centre for Ethical Leadership (2013)? page 24 |
Values - Ethical leadership starts with personal conviction Vision - it must be able to inspire other to adopt similar values Voice - Clear expression is required to communicate the vision and share the values Virtue - The important thing is that all of this has an impact that leads to a more virtuous way of thinking and behaving |
|
|
According to Schwartz (2004) what must a code of ethics be regarded as? page 25 |
A book of rules, a sign post, a mirror, a magnifying glass, a shield, a smoke detector, a fire alarm, and a club. |
|
|
What are some examples of COSO's hard and soft controls? page 26 |
|
|
|
What is the 'agency problem' as defined in Jensen and Meckling (1976)? page 27 |
The potential divergence of interests of the principal (the owners or stakeholders) and the agent (the board and managers). I.E. Managers issue of balancing responsibility and accountability (Enron) |
|
|
Describe the Three Lines of Defense page 28 |
plus board = ensure model is operating effectively |
|
|
Describe the Three Lines of Defense page 28 part 2 |
1. Control owners - management controls 2. Internal, but not independent, oversight (Risk management, etc) 3. Independent oversight (IA) |
|
|
Define autocratic page 29 |
A highly centralized style with little to no consultation while power and control are held centrally. -use when time is of the essence and staff is not well trained |
|
|
Define laissez-faire page 29 |
A 'hand's off' style with little or no intervention but power is decentralized. Things are allow to 'run their course' with limited intervention. -use when there's time and staff is HIGHLY trained |
|
|
Define democratic page 30 |
more inclusive, taking into account of the views and inputs of others and includign them in some form of collective responsiblity highly decentralized style with plenty of consultation -use when there is time and staff is trained |
|
|
Descsribe Blake and Mouton's Managerial Grid (1964, in Boddy, 2011) page 30 |
Team - participate PP - Formal/authoritative CC- Democratic Improv - Laissez-faire Middle - balance |
|
|
Explain McGregor's Threory X, Theory Y model for management styles. page 32 |
X - people are lazy, will do the min, max performance through close supervision, coercion, rewards, and punishments. Y - people enjoy working, want to learn, and max performance by developing individual, more responsibility, etc. He argued Y is more effective in the long term |
|
|
What are the five common approaches to subdividing an organization as described by Boddy (2011)? page 34 |
1. Functions: separate the different discrete and focused areas of activity (ie. Finance) 2. Divisions: uses features such as product lines, regions, or customer types (Retail) 3. Matrix: staff and other resources are line-managed vertically, but organized in cross-organizational teams for specific projects or on a permanent basis 4. Teams: created within structures to give activities a particular focus and staff a sense of belonging 5. Networks: are an increasingly common feature of endeavor, joining together organizations in pursuit of common objectives for mutual gain |
|
|
Describe etehe features, benefits, and potential risk of the following organziational structures. -Tall/Hierarchical -Flat -Matrix page 35 |
Tall: many layers of hiearchy and communication/centralized, clear and easily understood, lots of red tap Flat: Wider spans of control/decentralized, employees self motivated/quick communication, higher turnover/low promotions/high potential for performance issues Matrix: comprising related cross-functional and cross-hierarchical teams/ high decentralization/high degrees of individual autonomy, very flexible/responsive, very disorienting since newest structure |
|
|
According to hte UK Dept of Business Innovation and Skills (2013) what are the requirementes to achieved a prevailinng attitude of honesty? page 38 |
"-Timely, high-quality information provided by the organization -A clear and credible decision making process -Stakeholders giving proper consideration to the information provided and making considered judgements" |
|
|
Describe some of the purposes documentation serves. page 39 |
-Provides info to support decision-making, planning, analysis, and data input -Provides a historical record for reference -Contributes to openness and transparency as some documents are available for public scrutiny -Provides an audit trail -Defines authorities and responsibilities to enable accountability |
|
|
List some of the intenral governance mechanisms. page 39 |
-A goverance body (Board of Directors) -Balance of power (separation of power) -Risk management -Internal Auditing -Rewards and remuneration (money) |
|
|
Describe the traits of a good information. page 40 |
- Relevant - Timely - Accurate - Usable - Detailed |
|
|
Describe the decision making process. page 40 |
Identify the problem-->Determine intended goal Identify relevant factors/criteria-->Collect info Analyze options --> Make/implement decision Review outcomes |
|
|
Name some effective decision-making processes. pages 41-42 |
- 5 Whys (why til you find the root problem) - Chunking (break down issue into manageable chunks) - Drill-Down (progressively detailed levels to gain a better understanding of issue) - Cause/Effect - Decision Trees - Cost/Benefit Analysis - Systems Diagrams (very sophisticated analysis of how all relevant factors are interrelated) - 80-20 Rule (80% of issues is handled by 20% of the people, fix larger impact issues first) - Force Field Analysis (ranks each group of impacted people and their 'force' towards the decision one way of the other, 2 people for it, 3 people against etc) - Paired Comparison Analysis (methodically compares alternatives) -Grid Analysis ( like paired comparison, but more complex) -Thinking Hats |
|
|
What does ISO 31000 state in regards to decision making? page 43 |
risk management should be part of an organization's decision-making process. |
|
|
What are 'core capabilities' as defined by Henry, 2007? page 43 |
They enable an organization to deliver its prodductss nd services to customers at a price they are prepared to pay, gaining access to key markets and making it hard for others to imitate. |
|
|
What are 'distinctive capabilities' as defined by Henry, 2007? page 43 |
These give an organization its unique selling point and make the greates contribution to its competitive advantage when compared with its closest rival. |
|
|
According ot Boddy (2011) how do an organization's core capabilities arise? page 43 |
- Its unique range of products and servies - Its resources (human, physical, financial, intangible) - Its processes |
|
|
What are the critical (essential) capabilities of an organization? page 44 |
The Value Drivers as they add value to inputs that are subsequently tranasformed into outputs for customers and service users. inputs - labor, material, power organization - transformation thur processing outputs - products/services |
|
|
Describe the two activies in Porter's Value Chain and give examples of each. page 45 |
Primary Activies: have a direct bearing on adding value - Inbound Logistics (supply chain elements) - Operations (main activities) - Outbound Logistics (distribution) - Marketing/Sales - Services to Customers (maintenance etc) Support Activities: additional things the organization needs to do to facilitate the primary activities - Administration - Human Resources - Technology - Procurement |
|
|
When are thrid-party risks typically higher? pages 47-48 |
- New relationship - Relationship is entered into quickly - Services provided are critical to the organization's operation - Financial value of the arrangement is significant - Extensive duration -Complex undertaking - Third party had relationship with direct competition/conflict - Several parties involved - Third party is planning to sub-contract some/all of the work |
|
|
Define Connected Stakeholder. page 52 |
Non-executive directors who cross organizational boundaries between internal and external stakeholders |
|
|
Define Peripheral Stakeholders. page 52 |
Stakeholders who only have limited and intermittent interests. |
|
|
What are some of the needs and expectations of the INTERNAL Staff stakeholders with respect to risk management? Page 52 |
- Being involved in the development of risk managemnet processes in oreder to understand them and have ownership - Having clear instructions on what is required of them and training as new skills are needed - Being able to accommodate the requirements that risk management processes place on them within the time and other resources available -Gaining recognition for any additional responsibilities they take on with regard to risk management - Having the opportunity to provided feedback on the operation of rissk management processes and being given credit for the expertise and experience they can add |
|
|
What are some of the needs and expectations of the Manager/Director stakeholders with respect to risk management? Page 53 |
- Being Confident that risk management processes are providing them with hte info they need to executee appropriate decisions and manage the organization effectively/efficiently - Confident that RM will contribute to the effectiveness/efficiency of their areas of responsibility - Receiving support from risk experts to facilitate risk identification and development of effective RM processes - Receiving assurance that the internal controls are working effectively - Increasing their personal rewards by demonstrating RM processes add value - Being able to satisfy the owners that risk are being managed effectively |
|
|
What are some of the needs and expectations of the Owners (internal) stakeholders with respect to risk management? Page 53 |
- Being confident that management has correctly identified the key risk and that they are being managed effectively - Being confident that RM processes contribute to the value generated by the organization |
|
|
Defind Policy page 53 |
A course of action or something an orgnaization is supposed to do. They are likely to include the rason or rationale for doing something, and for doing it in a particular way with reference to agreed stategic objectives. Description of thee approach or attitude adopted by an entity or activity |
|
|
Define Procedure page 53 |
Provide steps by which the policies will be met. Steps required to undertake and activity in accordance with a policy. |
|
|
Describe the advantages of Policies. page 54 |
- Explain/Justify a position on a particular issue, such as stating that the organization is an equal opportunity employer - Facilitate staff induction/training - Capture organizational knowledge - Ensure consistency of practice - Translate regulatory/legal requirements into operational procedure - Satisfy inspectors/regulators that appropriate arrangements/controls are in place for key activities - Act as a point of reference for performance management -Serve as a risk response, enabling an organization to keep the residual risk within the levels of appetite while exploiting opportunities as they arise |
|
|
What is the PESTEL? page 56 |
It is the most familiar ways of analyzing the external environment. Find the risk, opporturnities, and threats of each area below: Political Environment Social (public attitudes) Technological Economic (market/so Legal |
|
|
Describe Porter's Five Forces model from 1980 page 57 |
Used to determine the degree of rivalry that exists within segments of a given market or the market as a whole. 5 Forces Include: 1. New Suppliers (stealing business) 2. Power of Suppliers (dictate prices/switches) 3. Substitute Products (undermining market) 4. Power of Customers (bargaining) 5. Degree of Rivalry/Competition (net result of other 4 forces) |
|
|
What are the four categories stateholders may fit into upon analysis of their degree to which they are engaged? page 59 |
Promoters - keen advocates of the organization or the initiative under consideration, are likely to encourage others to support it Supporters - have a positive view about organization/initiative but ARE LESS LIKELY TO ENCOURAGE Latents - have potential to become a supporter, but are PRESENTLY UNAWARE OR UNINTERESTED Apathetics - do not have any strong opinion and lack motivation to get involved. |
|
|
What are the non-executive Directors' needs and expectations with respect to risk managment process? page 59 |
- Receiving assurnace that risk management processes are woring effectively, are identifiying all the key risks, and are having the intended effect on control and the exploitation of opportunity - Being Confident that RMP deliver the info needed to effectively challenge the executive team |
|
|
What are the "Pressure Groups" needs and expectations with respect to risk managment process? page 60 |
Having the ability to influence RMP so that they take account of and address the particular areas of concern promoted by the pressure group |
|
|
What is the first and most important planning task assessment teeam should undertake according to GAIT-R? |
Interviewing C-Suite executives and operational managers to identify and rank threatss to the business. Reasoning - The first principal of GAIT-R states the failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business. GAIT advocates a top-down approach of business risks, risk tolerance, and the controls required to manage or mitigate business risk. |
|
|
Describe Grid Analysis |
Grid Analysis is an effective decision making process that helps analyze the available options and weigh risk that can influence goverance. Example: Possible new toys were considered in light of factors such as price, regulatory requirements, consumer demand etc. Each factor were given a weight for relative importance. Then the toys were scored and ranked. |
