• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/61

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

61 Cards in this Set

  • Front
  • Back

How does the IIA Standards describe risk management?




page 65

'a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.'

Describe IIA Standard 2120 (from 2013)




page 66

"Outlines the features necessary for risk management processes to work properly:




-Organizational objectives support and align with organization's mission


-Significant risks are identified and assessed


-Appropriate risk responses are selected that align risk with the organization's risk appetite


-Relevant risk info is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities"

What can we ask to understand if the RMP is working?




page 66

- Are RMP aligned to organization's strategy?


- Does RMP provided a comprehensive view?


- Are controls working?




-Above all, does RM contribute to the organization's success by preparing it upside and downside risks?

Cyclical processes of Risk Management




page 67























How does COSO (2012) define benchmarking?




page 67

"A collabborative process among a group of entities that focuses on specific eventrs or processes, compares measures and results using common metrics, and identifies improvement opportunities'




or The systematic comparison of actual activities with a set of standards

What is the downside of benchmarking?




page 68

- The standards used may not be right for the orgnaization (or not entirely right)




- The organization may take undue comfort, falsely or arrogantly believing that everything is "okay" just because the benchmarking against a set of standards says so

What is ALWAYS the goal for RM?




page 68

Continuous Improvement (Higher degree of maturity)

Name some of the high-profile risk management standards/frameworks commonly used?




page 68-69

- IIA


- Combined Australian and New Zealand Standards (AS/NZS 4360:1999)


- National Institute of Standards and Technology (NIST)


- ISO 31000


- COSO's Enterprise Risk Management - Integrated Framework


- IIA's GAIT for Business and IT Risk




The guidance above can be integrated within a wider internal control framework like the ones below:




- COSO's Internal Control - Integrated Framework


-Criteria of Control Framework (CoCo)


- UK Corporate Governance Code


- ISO 9000




THERE ARE MOR E ON PAGE 69

Describe the AS/NZS framework.




page 69

Framework embedded within general organizational operations, policies, and culture to create '... a risk management process involving establishing context and the identification, analysis, evaluation, treatment, communication, and ongoing monitoring of risks."




FIRST SET OF STANDARDS (1995)

What are the 7 key steps to the AS/NZS framework?




page 70

1. Establish the context.


2. Identify Risks


3. Analyze Risk


4. Evaluate Risks


5. Treat Risks


6. Monitor/review risk management processes


7. Communicate/consult with key stakeholders

What is the NIST 800-37?




page 70

Risk Management framework for a specifict sector, US Dept. of Defense.




"Guide for applying the risk management framework to federal information systems."




Principal steps include:


- Categorizing Info and information systems


- Selecting security controls


- Implementing security controls


- Assessing security control effectiveness


- Authorizing the information system


- Monitoring security controls and info system security on an on-going basis

What is the ISO 31000:2009?




page 70

Internaltional Organization for Standardization (ISO) 31000 was launched in 2009 and largely superseded AS/NZS 4360.




"Provides principles, a framework, and process for managing risk" and is applicable to organizations regardless of size/sector.




Main Focus:


- Increase the likelihood of achieving objectives


- Improve the identification of opportunities and threats


- Effectively allocate the use resources for risk treatment




Target Audience:


- Executive- level stakeholders, appointment holders in ERM group, Risk analysts/management officers, line/project managers, compliance/Internal auditors, and independent practitioners



Describe COSO's Enterprise Risk Management - Integrated Framework




pages 71-72

COSO ERM = Internal Control - Integrated Framework (Think about that stupid cube! - Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Acitivies ) + Extra Stuff




Key Objectives:


-help managers deal with the wide range of risks that threaten objectives




COSO's ERM Components:


- Internal Environment (ethics, competence, operation style, risk appetite, etc.)


- Objective Setting (process in place to set objectives align w/ mission)


- Event Identification (management's consideration of factors that create threats/opp)


- Risk Assessment (likelihood/impact)


- Risk Response (Management to decide/implement)


- Control Activities (strives to achieve objectives)


- Information and Communication (info to identify/assess/respond to risks and comm. to raise awareness)


- Monitoring



Describe GAIT for Business and IT Risk




page 72

Guide to Assesment of IT Risk (GAIT) methodology created by IIA in 2007




Purpose:


Top-down approach for identifying IT General Controls




Four Main Principles


1. Failure of technology is a risk that only needs to be assessed, managed, and audited IF it represents a risk to the business


2. Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls (including auto controls and ITGCs) required to manage or mitigate business risks


3. Business risks are mitigated by a combo of manual and auto key controls and key automated controls must be assessed to manage or mitigate business risks


4. ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls



What are the 12 principles that risk management should follow according to ISO 31000?




page 72-73

1. Create value


2. Be integrated within routine organizational processes


3. Be integrated into ordinary decision-making processes


4. Provide a focus for identifying and understanding uncertainty


5. Be well structured and systematic


6. Be founded on accurate and reliable information


7. Be Flexible to accommodate the features of the organization


8. Be reflective of the human element of activity


9. Be open and transparent


10. Be responsive to change through close monitoring of the environment


11. Be focused on continuous improvement


12. Be subject to cyclical review



What are the 8 steps of the GAIT-R methodology that mirror many of the stages of general risk managment assurance?




page 74

Identify:




1. Business objectives for which controls are to be assessed.


2. Key controls within business processes required to provide reasonable assurance that the business objectives will be achieved


3. Critical IT functionality relied upon for key business controls


4. Significant applications where ITGCs need to be tested


5. ITGC process risks and related control objectives


6. ITGCs to ensure they meet the control objectives


7. Perform a reasonable holistic review of all key controls identified


8. Determine the scope of the review and build an appropriate design and effectiveness testing program.



What is a SMART objective?




page 75

Specific, Stated


Measurable


Achievable


Resourced, Realistic, Relevant


Time-limited

Define an organization's vision.




page 76

A statement of where the organization wants to be or a state of affairs it wishes to bring about in the future.




Walmart example: "If we work together, we'll lower the cost of living for everyone and give the world an opportunity to see what it's like to save and have a better life"

Define an organization's mission.




page 76

Statement of primiary purpose.




Walmart example: We save people money so they can live better.




**sometimes mission and vision are the same.

What are the four main types of objectives according to Sobel and Reding (2012) and COSO?




page 77

1. Stategic Objectives (relate to the way the orgnaization intends to fulfil and achieve its mission)


2. Operational Objectives (relate to the effective/efficient deployment of resources in achieving strategic objectives)


3. Reporting Objectives (relate to the communication of info internally and externally)


4. Compliance Objectives (relate to those activities designed to align actual practice with regulatory and contractual requirements and organizational policy)

Describe the 8 Model for Strategy Execution




page 78

Review/update, communicate, cascade, compare/learn, manage initiatives, set objectives, monitor/coach, evaluate peformance. 

useful model for the integration of all objectives. 

Review/update, communicate, cascade, compare/learn, manage initiatives, set objectives, monitor/coach, evaluate peformance.




useful model for the integration of all objectives.

Describe the process of risk identification.




page 80

"Risk identification establishes the exposure of the organization, the market in which it operates, the legal, ,social, political, and cultural environment in which it existss, as well as an understanding of strategic and operational objectives. This includes knowledge of the factors critical to success, and the threats and opportunities related to the achievement of objectives. It should be approached in a methodical way to ensure that all value-added activities within the organization have been evaluated and all the rissks flowing from these activities have been defined."

What does Chesshire (2010) state is needed to be successful at risk identification?




pages 80-81

- Be supported and promomted from the highest levels


- Be carefully planned with a clear briefing for all participants


- Adequately resources


-Led by someone with specialist skills in RM and Risk identification


- Involve a cross-section of individuals with the right blend of skills and knowledge regarding organizational activities


- Operate according to an agreed-upon set of rules


- Have clear objectives


- Communicate its outcomes clearly


- Make appropriate reference to good practice frameworks


- Take account of cross-departmental risks as well as those that fall within a single area


- Ensure that agreed upon actions are recorded and subsequently implemented.

How does ISO 31000 define risk identification?




page 81

"the process of finding, recognizing, and describing risks."

What is shaping the risk universe per COSO?




page 82



What are some tools that support the process of risk identification per Chesshire, 2010?




pages 83-84

- Checklists


- Benchmarking


- Scenario planning (What if...)


-Vulnerability assessments (process of identifying and evaluating risks by examining the potential for failure, ie points of failure)


- Risk Brainstorming


- Control risk self-assessment (an exercise to assess risk and control strengths against a control framework


-Questionnaires/surveys


-Risk identification workshops

Define Risk Universe.




page 85

Level of detail included in a risk universe depends on the needs and maturity of risk management process. Risks are grouped into categories using appropriate classifications.

Define Risk Register




page 85

A structured record of all the key risks and their analysis which should note the following:




- Description of risk event


- Risk owner


- Inherent risk assessment impact/likelihood


- Info on the responses currently applied


- Residual risk


- Conclusion regarding acceptability of risk


- Info on any actions to be taken


- Monitoring controls to be applied

Define Speculative risk.




page 86

Opportunity.




Risks that can be exploited for gain.




"Upside risk"

Define Pure Risk.




page 87

Wholly negative risk. "Downside risk"




Risks that are purely destructive or negative

Describe the difference between "Well-known", "Hypothetical", and "Unknown" risks.




page 87

Well-known - based on a STRONG knowledge




Hypothetical - based on incomplete/uncertain knowledge




Unknown - based on the absence of knowledge

Describe "foreseeable" verses "Unforeseeable" risks.




page 87

Foreseeable - known, or at least knowable, risks provided we have good intelligence




Unforeseeable - cannnot be understood or predicted with any degree of accuracy

Describe "Theoretical" verses "significant" risks.




page 87

Theoretical risks - they exists, but are so unlikely or will have such little ipact that they are NOT work considering




Significant risks - they have the ability to frustrate strategy or offer valuable new opportunities

Describe "business" risks.




pages 88-89

Business Risks - can be +/- and stem from the nature of the business itself, the way it operates, the goods/services it delivers, and the resources it uses.




Including risks sub-categorized into:




Strategy, Enterprise, Products, Economic, Technology, Property

Describe "non-business" risks.




page 89

Non-business risks: any other type of risks not arising DIRECTLY from the nature of business.




Including risks sub-categorized into:




-Financial (Liquidity, Gearing, Default, Credit, Foreign-exchange, Interest-rate, Market)


-Event (Disaster, Regulatory, Reputation, Systemic)


- Operational (Fraud, IT)

Define Risk Profile




page 89

Overall distribution of risks across an organization

What might a Bow-tie diagram be used to better understand? Describe it.




page 90

Bow-tie Diagram - helps determine correlations, interdependencies, and conditions that could lead to a rissk event to help clarify the potential effect or danger 

Bow-tie Diagram - helps determine correlations, interdependencies, and conditions that could lead to a rissk event to help clarify the potential effect or danger



Define risk criteria




page 91

Factors or dimensions that may be used to analyze risks




ISO 31000 definition: Terms of reference against which the significance of risk is evaluated and are based on organizational objectives, and external and internal context.

Define Governance risk




page 91

Sets the framework in which rissk management takes place and covers the four key factors




1. Risk Capacity,


2. Risk Attitude,


3. Risk Appetite, and


4. Risk Tolerance.

What types of impacts can be included in analyzing a risk?




pages 91-92

- Financial (earnings etc)


- Financial Reporting (errors)


- Reputational


- Environmental (improvement/deterioration of)


- Safety (affecting employees/customers/others)


- Legal (litigation/reward/punishment)

How can velocity affect assessing a risk?




page 92

Velocity = spead of onset




But can also be split into speed of reaction/speed of recovery

What is the difference between Risk Interdependency and Risk Correlation?




page 93

Risk Interdependency - The casual relationship between two or more risks (both earthquake and tornado happening causing risk to happen at once)




Risk Correlation: the interdependency of two risks (weak national economy results in foreign exchange risks)




Correlation is rather than mutual dependency of risks (like interdependency) precipitating new and potential unexpected risks, the impact or likelihood of the risks varies.

What does rissk assessment and evaluation include?




pages 93-94

- Assessing hte Likelihood (frequency/probability)


- " Impact (outcome of an event per ISO31000)


- " Other dimension (velocity, volatility, interdependencies)


- Measuring Severity/inherent risk (magnitude/expressed in terms of combo of impact & likelihood)


- Comparing severity with related risk appetite


-Determine an appropriate Response (considering residual risk and appetite)

What is the downfall of most risk assessment tools such as heat maps and threat/opportunity maps?




page 98

They use an oversimplified system in which numbers are applied to everything to make them comparable AND they don't normally consider the other factors of risks (velocity/volatility).

Define risk psychology




page 100

The subjective elements of risk assessment.




Such as if you personally are a 'risk taker/avoider". Consider planes verses car travel.

Define risk attitude (not the same as risk appetite).




page 101

Aggregated risk appetite when considering the organizations attitude of




- risk-averse (prefers options with better returns/low risk),


- risk-neutral (prefers highest return while indifferent to risk),and


- risk-seeking (actively seeks high risk strategies.

What are the risk response options?




page 102

Treat (COSO=Reduce, ISO=Mitigate) - intro/strengthen internal controls to mitigate the risk




Tolerate (COSO/ISO=Accept) - Accept the risk based on a sound understanding of it only




Transfer (COSO/ISO=Share) - apportion some or all of the risk to a third party typically through insurance, joint initiative, or outsourcing.




Terminate(COSO/ISO=Avoid) - cease the activity or withdraw from the situation




****ISO3100 also has Exploiting - accepting/increasing the risk to maximize the potential benefit

How do you determine the risk capcity of an organization, according to Sobel and Reding (2012)?




pages 103-104

- Readiness/Preparedness (how well the organization can mount its reaction and implement response)


- Agility (ability to vary the response if needed)


- Resilience (to continue to mount response)


- Controllability (how much influence the organization may exert over risk)


- Monitorability (how closes they are able to track and receive data)


- Maturity


- Degree of Confidence (how well the risk is understood)



What are hte four types of controls for treating risks?




page 107

1. Preventative (hard)- designed to stop or limit the possibility of happening (SoD or Access)


2. Detective (hard) - Detect occurrence of event


3. Directive (soft)- Encourage desired behaviors (training, manuals, policies)


4. Corrective (soft)- restore normality after occurrence (virus isolation, procedures, continuity plans)

What are the main areas of IT General controls (1 half of the overall IT area)?




pages 109-110

General Controls: operate at the most fundamental elve3l and ensure the integrity of IT outputs.


- Control Environment,


- Change Management,


- Source code/Document version-control procedures,


- Software development life cycle standards,


- Security policies/standards/processes,


- Incident management policies/procedures,


- Technical-support policies/procedures,


- Hardware/software configuration/testing,


-Disaster recovery/backup and recovery.

What are the main areas of IT Application controls (1 half of the overall IT area)?




pages 110-111

Application controls: FULLY AUTOMATED to ensure correctness of procfessing throughout the system by:




- Completeness checks,


- Validity checks,


- Identification,


- Authentication,


- Authorization,


- Problem management,


- Change management, and


- Input controls.

What are exogenous eventss and endogenous events as defined in Deloitte's 2005 study of UK companies?




page 111

Exogenous events: External 'one-off shocks' and other situations that can be anticipated but not controlled (i.e., terrorism or flue epidemic).




Endogenous events: Internal occurrences caused by management practices and corporate governance

What is risk mitigation planning according to the Project Managment Institute (PMI)?




page 112

The process of developing options and actions to enhance opportunities and reduce threats to project objectives. Risk mitigation implementation is the process of executing risk mitigation actions. (2013)

What are the suggested steps for addressing emerging risks according to PwC's 2009 study?




page 114

1. Identify emerging risk srelevant to the organization (extra emphasis on scenario planning and projecting trends)


2. Assess the risks' significance and interconnectedness with other risks and implications to the business (ie. deep analysis)


3. Determine risk response strategies, considering collaboration with external parties (focus on transfer/share)


4. Routinely monitor emerging risks through the effective use of indicators (prioritized until better understood)

What should be included in a risk management reporting communicaction?




page 115

- Changes in risk register




- Weakness identified




- Risk incidents (materialization of a risk) and treatment effectiveness




- Updates on actions to treat risks

Define risk escalation




page 116

The process of reporting risk incidents up the 3 lines of defense

Define risk capture.




page 116

The ability to recognize and record the materilization of a risk incident




**need to strike a balance between risk info overload due to small risk reports to not getting significant ones captured

What are the 3 goals of the review of risk management process per Sobel and Reding 2012?




page 118

1. To identify and repair weaknesses and faults in the RM process.




2. To identify changes in the organization's objectives and environments, and to ensure that RM process remain in alignment.




3. To determine that the organization is achieving its goals (because RM is working).

What is the greatest challenge that is unique to conducting and interpreting risk priortization exercises?





The assumption that different risk criteria (likelihood/impact) carry equal weight in the analysis.




NOT - subjectivity/judgement used because since (although it is a risk) it can be redressed if the parameters associated with a numeric score are articulated clearing and examples are added.

Risk assessment reviews can be qualitative or quantitative.




Which is more complex? More precise?

Quantitative assessments are more complex than qualitative assessments but typically yield more precise measures.

What is one way to judge 'effective' ERM?

Assess whether risk have been controlled across COSO's ERM framework components with reasonable assurances that rissk management will allow the fir's objecctives to be achieved.