-
What is the purpose of ERM according to COSO? What does ERM stand for?
- Enterprise Risk Management
- A process applied in strategy setting
- designed to identify potential events that may affect the entity,
- and then manage these events within its risk appetite,
- to provide reasonable assurance regarding the achievement of entity objectives.
-
What are the ERM objectives and a brief definition?
- Strategic: high-level goals designed to achieve the mission
- Operations: effective & efficient use of resources
- Reporting: dissemination of timely, accurate information
- Compliance: with laws and regulations
-
What are the 8 components of ERM?
- OR-I-CRIME
- Objective setting
- Risk Response
- ---
- Internal Environment
- ---
- Control Activities
- Risk AnalysisInformation and communication
- Monitoring
- Event identification
-
What are the key elements of the ERM Internal Environment?
- EBOCA-HAP
- Ethical values and integrity (and what happens when these are violated)
- Board oversight
- Organizational structure (such as centralized vs decentralized structure)
- Commitment to Competence
- Accountability = authority & responsibility
- Human resources standards (hiring, promoting, compensating)
- Appetite for Risk
- Philosophy on Risk
-
What is Risk Appetite? To which component does this key element belong?
- The amount of risk an organization will accept in the pursuit of value maximization. It is used to balance strategy with return.
- Belongs in the Internal Environment element.
-
What is the difference between Risk Appetite and Risk Tolerance?
- Risk Appetite refers to the risk associated with balancing acceptable levels of risk vs return (or growth).
- Risk Tolerance is the accepted level of variation relative to the achievement of objectives. Ex: An airline's objective is 95% on time arrivals; the acceptable tolerance is 85-95%.
-
What are some internal and external event influencing factors (categories)?
- EXTERNAL
- STEP-N
- social (demographics)
- technological (new distr channels)
- economic (recession, new competitors)
- political (change in regs)
- natural (storm)
- INTERNAL
- TIPP
- technology (theft of intellectual property)
- infrastructure (assets, capital)
- personnel
- process
-
What are some event identification techniques?
- Event Inventories = lists of potential events common to companies in an industry
- Internal Analysis
- Escalation or Threshold Triggers = A comparison of an activity to predefined criteria (such as variances from standards)
- Brainstorming
- Analytics such as trend analysis
-
What is inherent risk?
The risk to an organization that exists if management takes no action.
-
What is residual risk?
The risk to an organization that exists after management takes action.
-
What are the four ERM Risk Responses to risk?
- Avoidance -- Divest of the activity giving rise to the risk. Ex; Terminate an underperforming product line rather than improve its performance; or outsource
- Reduction -- Actions to reduce risk. Ex; hire competent people
- Sharing -- offload a portion of the risk to someone else. Ex; purchase insurance; use hedges
- Acceptance -- This is based on risk appetite, or realizing it can't be avoided but has little impact
-
What are specific examples of ERM control activities can be utilized by management?
- Reviews
- Segregation of duties
- Use of written policies and procedures to ensure consistency and carryover
- Physical Controls
- Information processing
-
What is ERM Information and Communication and its key elements?
- Make certain the right people have the right info, in a timely manner
- OIE
- Obtain and use data
- Internal Reporting
- External Reporting
-
Even if an entity properly utilizes an ERM or Internal Control framework, what are some limitations that can derail these efforts?
- Bad decisions
- Human error
- Poor objective setting
- External events beyond the entity's control
- Circumvention of policies through collusion
- Management override of policies or procedures
-
Ethics is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Ethics is a compliance issue.
-
Attempting to rank in the top quarterile for the industry is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
strategic
-
Responding to the needs of customers and suppliers is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
operations
-
Developing a uniform chart of accounts is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
reporting
-
Developing objectives such as the entity comforms to GAAP is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Reporting
-
Developing an objective to maintain a safe level of carbon dioxide emissions during production is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Compliance
-
Which of the following provides oversight of an entity's ERM? (1) financial executives, (2) the risk officer, (3) management, (4) the board of directors
The board of directors
-
What is the purpose of the event identification activity?
To identify events that could influence the corporation, and then distinguish whether the event is positive (opportunity) or negative (risk)
-
What are the 4 stages of the monitoring-for-change continuum?
- (1) Control Baseline = understanding the internal control systems design and whether controls have been implemented
- (2) Change Identification = The use of evaluations to identify and address changes in internal control effectiveness
- (3) Change Management = the possibility of establishing a new control baseline in response to revised needs
- (4) Control Revalidation/Update = the confirmation of a control's effectiveness
-
Establishing an ethics hotline and assigning a corporate officer to conduct ethics training and to monitor the hotline is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Compliance
|
|