This document contains Anne Marielle Pla Uy's answers to multiple choice and true/false questions about risk management frameworks and concepts. It discusses key aspects of frameworks like COSO and ISO 31000. Some key points made are that COSO views culture as the main driver of risk management rather than a separate function, and that the ISO answers how an organization should manage its risks while COSO focuses on value creation. It also discusses different types of risks like liquidity risk, business risk, and operational risk, and techniques for managing risk like avoidance, sharing, and reduction.
This document contains Anne Marielle Pla Uy's answers to multiple choice and true/false questions about risk management frameworks and concepts. It discusses key aspects of frameworks like COSO and ISO 31000. Some key points made are that COSO views culture as the main driver of risk management rather than a separate function, and that the ISO answers how an organization should manage its risks while COSO focuses on value creation. It also discusses different types of risks like liquidity risk, business risk, and operational risk, and techniques for managing risk like avoidance, sharing, and reduction.
This document contains Anne Marielle Pla Uy's answers to multiple choice and true/false questions about risk management frameworks and concepts. It discusses key aspects of frameworks like COSO and ISO 31000. Some key points made are that COSO views culture as the main driver of risk management rather than a separate function, and that the ISO answers how an organization should manage its risks while COSO focuses on value creation. It also discusses different types of risks like liquidity risk, business risk, and operational risk, and techniques for managing risk like avoidance, sharing, and reduction.
This document contains Anne Marielle Pla Uy's answers to multiple choice and true/false questions about risk management frameworks and concepts. It discusses key aspects of frameworks like COSO and ISO 31000. Some key points made are that COSO views culture as the main driver of risk management rather than a separate function, and that the ISO answers how an organization should manage its risks while COSO focuses on value creation. It also discusses different types of risks like liquidity risk, business risk, and operational risk, and techniques for managing risk like avoidance, sharing, and reduction.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1of 5
NAME: Anne Marielle Pla Uy
I. True or False. Justify your answer.
1. COSO ERM Framework focuses on culture as the main driver of risk management. Answer: True The COSO ERM does not requires a separate risk management function, rather it does not view ERM as a function or department but rather as culture, capabilities, and practices. 2. One of the most widely used risk management frameworks is COSO which talks about value creation and answers “how should an organization manage its risk?” Answer: False It should be the ISO that answers “how should an organization manage its risk? 3. The Board of Directors should be responsible for the oversight of a company’s Enterprise Risk Management system to ensure its functionality and effectiveness. Answer: False It should be the Board Risk Oversight Committee that responsible for the oversight of a company’s ERM system to ensure its functionality and effectiveness. 4. Each company can establish its own enterprise risk management framework tailored on its own need. Answer: True Each organization has its own approach to oversight and governance. 5. Information technology risk is an example of operational risk. Answer: True IT risk is the potential for technology shortfalls to result in losses. This includes the potential for project failures, operational problems and information security incidents 6. When there is only one possible outcome to a decision, risk or uncertainty is present. Answer: True Certainty refers to the situation where there is only one possible outcome to a decision and this outcome is known precisely. For example, investing in Treasury bills leads to only one outcome (the amount of the yield), and this is known with certainty. The reason is that there is virtually no chance that the government will fail to redeem these securities at maturity or that it will default on interest payment. On the other hand, when there is more than one possible outcome to decision, risk or uncertainty is present. 7. A pure risk is a chance of loss or no loss, but no chance of gain. Answer: True Pure risk is the potential for losses and, in contrast to speculative risk, there is no opportunity for gain. 8. A risk seeking individual is the one who prefers less risk for the same expected return. Answer: False An individual is said to be risk seeking if the certainty is greater than the expected value of an investment alternative. 9. The main objective of Risk Management is the mitigation of risk. Answer: True Risk management is the approach to identify risks with the aim to prevent, mitigate or eliminate the potential harm from those risks. 10. The President is the ultimate champion of ERM at the company. Answer: False It should be the Chief Risk Officer that is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management. II. Multiple Choice. Discuss your chosen answer. 1. The risk that refers to uncertainty about the rate of return caused by the nature of the business is a. Default risk b. Business risk c. Liquidity risk d. Financial risk Financial risks are everywhere and come in many different sizes, affecting everyone. You should be aware of all financial risks. Knowing the dangers and how to protect yourself will not eliminate the risk, but it will mitigate their harm. 2. The risk associated with the uncertainty created by the inability to turn investment quickly for cash a. Interest rate risk b. Business risk c. Liquidity risk d. Default risk Liquidity risk occur when an individual investor, business, or financial institution cannot meet its short-term debt obligations. The investor or entity might be unable to convert an asset into cash without giving up capital and income due to a lack of buyers or inefficient market. 3. The risk that the real rate of return will be lesser that nominal or stated rate of return due to inflation is referred to as a. Purchasing power risk b. Liquidity risk c. Default risk d. Business risk The chance that the cash flows from an investment won’t be worth as much in the future because of changes in purchasing power due to inflation. 4. Operational risk is manifested in all of the following except a. Interest rates volatility b. Process stoppage c. Technological obsolescence d. Management fraud. Operational risk pertains to the execution of the basic activities within a process and encompasses the potentially wide range of things that can wrong within a process. Potential risks relate to the excessive breakdowns or work stoppages in the process. 5. Financial risks associated with financial institutions include the following except a. Liquidity risk b. Credit risks c. Market liquidity risk d. Environment risk Environmental risk management seeks to determine what environmental risks exist and then determine how to manage those risk in a way best suited to protect human health and the environment. 6. Non- financial risks include the following except a. Compliance risk b. Reputation risk c. Market risk d. Disaster risk Market risk is the possibility of an investor experiencing losses due to factors that affect the overall performance of the financial markets in which he or she is involved. 7. ISO 31000 suggests that once risks have been identified and assessed, techniques to manage the risk should be applied. These techniques include the following except a. Avoidance b. Sharing c. Reduction d. Complete disregard ISO 31000 provides a level of reassurance in terms of economic resilience, professional reputation and environmental and safety outcomes. In a world of uncertainty, ISO 31000 is tailor made for any organization seeking clear guidance on risk management. 8. The technique of eliminating or reducing risk which could mean losing out on the potential gain is called a. Avoidance b. Sharing c. Reduction d. Acceptance Risk reduction deals with mitigating potential losses while engaging in potentially risky financial behavior. 9. This technique involves accepting the loss or benefit of gain from a risk when it occurs a. Avoidance b. Sharing c. Reduction d. Acceptance Retention involves accepting the loss, or benefit of gain, from a risk when it occurs. 10. Key tenets of the Turnbull guidance include a. Engaging all employees b. Streamlining risk management database c. Ongoing, continuing monitoring of risk and control d. All of the above. The Turnbull guidance covers the following areas: Engaging all employees, Streamlining risk management database and Ongoing, continuing monitoring of risk and control. III. 1. Discuss Risk, Hazard and Uncertainty. Explain how they differ from each other by giving an illustration. A risk is an unplanned event that may affect one or some of your project objectives if it occurs. The risk is positive if it affects your project positively, and it is negative if it affects the project negatively. Hazard is the condition that increases the probability of loss. In uncertainty, the outcome of any event is entirely unknown, and it cannot be measured or guessed, you don’t have any background information on the event. RISK HAZARD UNCERTAINTY >the chance of harm caused >potential to cause harm >cannot predict the by a hazard. >something that poses a threat chance of an outcome >can predict the chance of an to life, health, property and to in the future outcome in the future environment >lack of certainty >a situation involving exposure >the condition that increases >unpredictable damage to danger the probability of loss >unquantifiable >uncontrolled certainty >ignorance of the future >predictable loss >quantifiable >consequences of decision makers actions 2. Enumerate the different classifications and types of risks. Briefly explain and give example for each. Classified based on its: Effect - involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Example: The reducing the risk of injury by through safety procedures. Controllability - The degree to which the risk owner (or owning organization) is able to control the risk's outcome. Example: What can you do to decrease your risk of developing heart disease? You can exercise regularly, avoid smoking, manage a healthy weight, and eat healthful, nutritious meals. Correlation – refers to the risk of a financial loss when correlation in the market changes. Example: An increase in default correlation between bond issuers and insurers was observed, which represents wrong-way risk. Impact - is an estimate of the potential losses associated with an identified risk. Example: A project team may estimate of technical risks in terms of delays to a schedule. Drivers - an attribute, characteristic, variable or other concrete determinant that influences the risk profile of a system, entity, and financial asset. Example: Number of potential damaging incidents that could cause a disruption of service. Types of Risks: Business Risk - refers to the basic viability of a business, the question of whether a company will be able to make sufficient sales and generate sufficient revenues to cover its operational expenses and turn a profit. Example: Changing preferences of customers. Financial Risk - can sometimes be outside an organization’s control, but can often be influenced by its actions. Example: Having insufficient cash to meet obligations. Market Risk - Risks which derive from the sector in which the business is operating, and from its customers. Example: Failure to provide goods customers require. Product Risk - The risk that customers will not buy new products (or services) provided by the organization, or that the sales demand for current products and services will decline unexpectedly. Example: Customer experience issues such as a product with poor usability. Legal Risk – Risk such as changes in the law. Example: There is a breach of regulations, company act. Political Risk - depends to a large extent on the political stability in the countries in which an organization operates and the attitudes of governments towards protectionism. Example: Changes in taxes can reduce the profitability of a business and affect the price of assets such as stocks. Technological risk- arising from factors such as communication technology and transport options. Example: Competitors achieve technological advantage. Strategic and Operational Risks - This business risk can happen internally, externally or involve a combination of factors. Something could unexpectedly happen that causes you to lose business continuity. Example: Unexpected event could be a natural disaster or fire that damages or destroys your physical business. Environmental Risk - arising from changes in the political, economic, social and financial environment. Includes strategic risk. Example: Natural disaster affecting supply chain Probity Risk - is related to the governance and ethics of the organization. It can arise from unethical behavior by one or more participants in a particular process. It is often discussed in the context of procurement, where issues such as failing to treat information as confidential, lack of trust in business dealings and time spent in resolution of disputes may arise. Example: Directors/officers receive high bonuses when company is making losses. Reputation Risk - there has always been the risk that an unhappy customer, product failure, negative press or lawsuit can adversely impact a company's brand reputation. Example: Production of poor quality. Fraud Risk – is the crime or offense of deliberately deceiving another in order to damage them, usually to obtain property or services unjustly. Example: Failure to conduct background checks and other pre-employment screening and weak internal controls. 3. Identify 3 main attitudes toward risk. Briefly explain. Risk averse - People are risk averse when they shy away from risks and prefer to have as much security and certainty as is reasonably affordable in order to lower their discomfort level. They would be willing to pay extra to have the security of knowing that unpleasant risks would be removed from their lives. Risk seeker - A risk seeker, on the other hand, is not simply the person who hopes to maximize the value of retirement investments by investing the stock market. Much like a gambler, a risk seeker is someone who will enter into an endeavor as long as a positive long run return on the money is possible, however unlikely. Risk neutral - an entity is said to be risk neutral when its risk preference lies in between these two extremes. Risk neutral individuals will not pay extra to have the risk transferred to someone else, nor will they pay to engage in a risky endeavor. To them, money is money. They don’t pay for insurance, nor will they gamble. 4. Discuss the 5 commonly used standards in managing risks. • COSO 2017 Enterprise Risk Management – Integrating with Strategy and Performance The Enterprise Risk Management–Integrating with Strategy and Performance principles apply to all entities, including not-for-profit and governmental bodies, regardless of size. While some small and midsize entities may implement the principles of enterprise risk management differently than large entities, they remain applicable to every type of entity. • COSO 2004 Enterprise Risk Management – Integrated Framework In response to a need for principles-based guidance to help entities design and implement effective enterprise- wide approaches to risk management, COSO issued the ERM- Integrated Framework in 2003. This framework defines essential ERM components, discusses key ERM principles and concepts, suggest a common ERM language, and provides clear direction and guidance for ERM. • ISO 31000:2018 – Risk Management Principles and Guidelines ISO 31000 helps organizations develop a risk management strategy to effectively identify and mitigate risks, thereby enhancing the likelihood of achieving their objectives and increasing the protection of their assets. Its goal is to develop a risk management culture where employees and stakeholders are aware of the importance of monitoring and managing risk. • A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in 2002 by the UK’s 3 main risk organizations. The Risk Management Standard was originally published by the Institute of Risk Management (IRM). The Association of Insurance and Risk Manager (AIRMIC) and the Public Risk Management Association (Alarm) in 2002. It was subsequently adopted by the Federation European Risk Management Association (FERMA). Risk Management protects and adds value to the organization and its stakeholders through supporting the organization’s objectives. • The Turnbull Guidance Good internal controls should ensure that the company's management systems, accounting records, asset maintenance and compliance issues are operating correctly. In relation to financial years beginning before 1 October 2014, this note details the board's responsibilities for internal control, the recommendations of the Turnbull guidance and practical steps for their implementation, the risks to be covered, establishing an effective internal control system and reviewing it, and reporting to shareholders. The FRC's Internal Control: Guidance to Directors (known as the Turnbull guidance) is effective for financial years beginning before 1 October 2014. 5. Explain and assess the importance of TARA framework for risk management. Strategies for managing risks can be explained as TARA (or SARA): Transference (or Sharing), Avoidance, Reduction or Acceptance. Transfer. This means passing the risk on to another party which, in practice means an insurer or a business partner such as a supplier or a customer. Avoid. This means asking whether or not the organization needs to engage in the activity where the risk is. If it is decided that the risk cannot be transferred nor avoided, it might be asked whether or not something can be done to reduce the risk. Reduce. This means diversifying the risk or re-engineering a process to bring about the reduction. It can also include Risk sharing. This involves finding a party that is willing to enter into a partnership so that the risks of a venture might be spread Retain. This means believing there to be no other feasible option. Such retention should be accepted when the risk and return characteristics are clearly known 6. What is Enterprise Risk Management? A process, effected by an entity's Board of Director, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives 7. Compare the COSO risk management approach with ISO. While the frameworks provide firms with a pragmatic and unified ERM approach, they do have their differences. Some of differences include: First is, COSO targets accounting and auditing agencies, ISO can be used by any organization. Secondly, ISO 31000 is used globally while COSO’s main users are in North America. Lastly, COSO focuses broadly on corporate governance as a vital aspect of ERM, ISO offers risk management as a part of an organization’s entire strategic planning. 8. Explain the risk appetite and how this affects risk policy? An organization-wide risk appetite statement can be a powerful tool that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action this is nothing more than an idea. 9. Explain and analyze the concept of assessing the severity and probability of risk events. Probability is the likelihood of an accident with a given hazard while severity describes the highest level of damage possible when an accident occurs from a particular hazard. 10. Describe the steps in risk management process that companies can adopt in establishing effective risk management framework. The first step is to identify the risks that the business is exposed to in its operating environment. Once a risk has been identified it needs to be analyzed. The scope of the risk must be determined. It is also important to understand the link between the risk and different factors within the organization. To determine the severity and seriousness of the risk it is necessary to see how many businesses functions the risk affects. Risks need to be ranked and prioritized. Most risk management solutions have different categories of risks, depending on the severity of the risk. A risk that may cause some inconvenience is rated-lowly, risks that can result in catastrophic loss are rated the highest. It is important to rank risks because it allows the organization to gain a holistic view of the risk exposure of the whole organization. Every risk needs to be eliminated or contained as much as possible. Not all risks can be eliminated – some risks are always present. Market risks and environmental risks are just two examples of risks that always need to be monitored.