What is the purpose of ERM according to COSO? What does ERM stand for?
- Enterprise Risk Management
- A process applied in strategy setting
- designed to identify potential events that may affect the entity,
- and then manage these events within its risk appetite,
- to provide reasonable assurance regarding the achievement of entity objectives.
What are the ERM objectives and a brief definition?
- Strategic: high-level goals designed to achieve the mission
- Operations: effective & efficient use of resources
- Reporting: dissemination of timely, accurate information
- Compliance: with laws and regulations
What are the 8 components of ERM?
- Objective setting
- Risk Response
- Internal Environment
- Control Activities
- Risk AnalysisInformation and communication
- Event identification
What are the key elements of the ERM Internal Environment?
- Ethical values and integrity (and what happens when these are violated)
- Board oversight
- Organizational structure (such as centralized vs decentralized structure)
- Commitment to Competence
- Accountability = authority & responsibility
- Human resources standards (hiring, promoting, compensating)
- Appetite for Risk
- Philosophy on Risk
What is Risk Appetite? To which component does this key element belong?
- The amount of risk an organization will accept in the pursuit of value maximization. It is used to balance strategy with return.
- Belongs in the Internal Environment element.
What is the difference between Risk Appetite and Risk Tolerance?
- Risk Appetite refers to the risk associated with balancing acceptable levels of risk vs return (or growth).
- Risk Tolerance is the accepted level of variation relative to the achievement of objectives. Ex: An airline's objective is 95% on time arrivals; the acceptable tolerance is 85-95%.
What are some internal and external event influencing factors (categories)?
- social (demographics)
- technological (new distr channels)
- economic (recession, new competitors)
- political (change in regs)
- natural (storm)
- technology (theft of intellectual property)
- infrastructure (assets, capital)
What are some event identification techniques?
- Event Inventories = lists of potential events common to companies in an industry
- Internal Analysis
- Escalation or Threshold Triggers = A comparison of an activity to predefined criteria (such as variances from standards)
- Analytics such as trend analysis
What is inherent risk?
The risk to an organization that exists if management takes no action.
What is residual risk?
The risk to an organization that exists after management takes action.
What are the four ERM Risk Responses to risk?
- Avoidance -- Divest of the activity giving rise to the risk. Ex; Terminate an underperforming product line rather than improve its performance; or outsource
- Reduction -- Actions to reduce risk. Ex; hire competent people
- Sharing -- offload a portion of the risk to someone else. Ex; purchase insurance; use hedges
- Acceptance -- This is based on risk appetite, or realizing it can't be avoided but has little impact
What are specific examples of ERM control activities can be utilized by management?
- Segregation of duties
- Use of written policies and procedures to ensure consistency and carryover
- Physical Controls
- Information processing
What is ERM Information and Communication and its key elements?
- Make certain the right people have the right info, in a timely manner
- Obtain and use data
- Internal Reporting
- External Reporting
Even if an entity properly utilizes an ERM or Internal Control framework, what are some limitations that can derail these efforts?
- Bad decisions
- Human error
- Poor objective setting
- External events beyond the entity's control
- Circumvention of policies through collusion
- Management override of policies or procedures
Ethics is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Ethics is a compliance issue.
Attempting to rank in the top quarterile for the industry is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Responding to the needs of customers and suppliers is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Developing a uniform chart of accounts is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Developing objectives such as the entity comforms to GAAP is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Developing an objective to maintain a safe level of carbon dioxide emissions during production is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance
Which of the following provides oversight of an entity's ERM? (1) financial executives, (2) the risk officer, (3) management, (4) the board of directors
The board of directors
What is the purpose of the event identification activity?
To identify events that could influence the corporation, and then distinguish whether the event is positive (opportunity) or negative (risk)
What are the 4 stages of the monitoring-for-change continuum?
- (1) Control Baseline = understanding the internal control systems design and whether controls have been implemented
- (2) Change Identification = The use of evaluations to identify and address changes in internal control effectiveness
- (3) Change Management = the possibility of establishing a new control baseline in response to revised needs
- (4) Control Revalidation/Update = the confirmation of a control's effectiveness
Establishing an ethics hotline and assigning a corporate officer to conduct ethics training and to monitor the hotline is considered part of which type of objective: (1) reporting, (2) operations, (3) strategic, (4) compliance