Enterprise Risk Management Questionnaire

NO. ASSESSMENT QUESTION YES NO NA COMMENT ACTION PLAN NEEDED? ACTION PLAN
A. INTERNAL ENVIRONMENT QUESTIONS YES NO
1 What is the overall risk appetite of the organization?
2 How committed is the board of directors (BOD) to establishing a risk management philosophy?
3 Describe the overall integrity and ethical values and commitment to competence of the organization.
4 Is the assignment of authority and responsibility over risks well-managed?
4.a Who manages this process?
5 What is the organizational structure of the company and the department?
6 What HR standards related to risk management are currently in place?
B. OBJECTIVE SETTING QUESTIONS
1 How well are strategic and related objectives defined?
2 How is the achievement of these objectives monitored?
3 What activities are on the risk management goal sheet for the year?
4 What does the company need to do well over the next year in order to succeed and reach its goals?
4.a What factors do you consider to be critical to the company's success in the next year?
5 What areas would you like to see moved to the next level of performance?
6 What would prevent you from achieving the goals (e.g., people, processes, funding, etc.)?
C. RISK AND EVENT IDENTIFICATION QUESTIONS
1 How do internal and external forces impact the risk profile?
What other event identification techniques are in place (e.g., self-assessment, Sarbanes-Oxley, report review, trend reporting,
2
fraud hotline, etc.)?
3 How are deficiencies captured and reported?
4 How does the organization distinguish between risks and opportunities?
5 Do we use a common language, or set of terms, to describe the various risks we face?
5.a Does everyone with management responsibilities use it?
5.b Is it effective in facilitating and sustaining an ongoing dialogue about the risks?
6 How do the current business realities in the external environment affect the risks?
6.a Is the business model effective in creating and protecting enterprise value? How do we know?
6.b Are we exceeding or meeting customer expectations and needs? How do we know?
6.c Do we have an edge on the competitors, or do they have an edge on us?
6.d Are we operating better, faster and at less cost? How do we know?
6.e Are we gaining or are we losing market share? How do we know?
6.f Are we in compliance with applicable laws and regulations? How do we know?
7 What are the most significant business risks?
7.a Are the risks written down and prioritized? Is there agreement among top management?
7.b Are we involved in or do we operate different businesses such that the risks should be identified separately for each business?

7.c Are there some overall corporate risks that are shared and common between all business units and geographic locations?
7.d Should evaluation of these risks be coordinated enterprise-wide?
Are there complex or unique risks within business units or geographies that require specialized knowledge and expertise to
7.e
evaluate?
8 How do we rate the quality, reliability and relevance of the risk reporting?
8.a Internal management reporting?
8.b External financial reporting?
9 Is the risk identification and prioritization current?
9.a Have new facts and conditions emerged since the last assessment?
Have we sufficiently considered all business risks and not just those of a financial nature (e.g., strategic, operating and
9.b
information risks)?
Do we regularly "re-identify" and "re-prioritize" the business risks and keep them up to date with current business and market
9.c
realities?
D RISK ASSESSMENT QUESTIONS
What do you perceive to be the largest risks to the company in terms of significance and likelihood? See Protiviti Risk Model
1
for examples.
2 What do you perceive to be the biggest risks within the area of control? Please provide examples.
Thinking of other areas within the company, how well do you receive information from the shared services groups (e.g., IT,
3
Finance, HR)?
What additional information would you like to have accessible in order to help you better perform the management
4
responsibilities?
5 In your opinion, what areas or processes are most susceptible to fraud?
6 Are you aware of any instances of fraud within the company?
6.a What/how/who?

Source: www.knowledgeleader.com ERM Questionnaire 1

 Enterprise Risk Management Questionnaire
NO. ASSESSMENT QUESTION YES NO NA COMMENT ACTION PLAN NEEDED? ACTION PLAN
E RISK RESPONSE QUESTIONS
1 How are risks monitored and reported within the organization?
2 How effectively are you managing identified risks?
What are you doing specifically to manage identified risks (e.g., financial statement variance reporting, trend reporting, credit
3
reporting, insurance policies, legal, BOD involvement and reporting)?
F CONTROL ACTIVITIES QUESTIONS
What is the assessment of the effectiveness of overall controls in preventing risks and carrying out risk activities within the
1
organization?
2 How are control activities tested?
3 What type of review process takes place for policies and procedures?
4 What type of review process takes place for IT application controls and the IT general control environment?
5 What does the company do to address entity-specific controls?
G INFORMATION AND COMMUNICATION QUESTIONS
1 How does the organization/the department capture information- and communication-related risk?
2 What communication barriers are present within the organization?
3 What ongoing monitoring activities are in place (e.g., compliance monitoring, IA risk management group, BOD monitoring, etc.)?
4 How are control evaluation results communicated?
H BOARD OF DIRECTORS QUESTIONS
Does management involve the board timely during the strategy-setting process, including when making decisions to accept or
1
reject risk?
Are you satisfied with the substance of the board-level dialogue regarding "risk appetite," i.e., executive management's "view of
2
the world," which drives the organization's strategic choices?
3 Are you confident the company isn't taking significant risks without the board's knowledge?
4 Does the board understand the priority business risks and how those risks are addressed, and are the risks on the list?
5 Is there sufficient time during board meetings to discuss these priority risks?
6 Is the board satisfied with the reports it receives?
Has management reported to the board on the status of the company's ERM process using the applicable credit rating
7
service's evaluation criteria?
7.a Are the organization's risk management culture and governance functioning effectively?
Is there sufficient clarity around the roles, responsibilities and accountabilities of those responsible for risk management, and
7.b
are they positioned appropriately within the organization to influence decision-making?
Do risk management policies cover such factors as risk tolerance, the company's internal and external reporting, and the
7.c
processes, personnel and technology for assessing the critical financial and nonfinancial risk?
7.d Does the risk management infrastructure support risk communications at all levels?
7.e Is risk management effectively integrated with strategy-setting and business planning?
Does the risk management methodology provide for appropriate metrics for assessing and quantifying significant measureable
7.f
risks and incorporating risk into corporate decision-making?
8 Do board members' backgrounds give insight into the potential effectiveness of risk management oversight?
Do board members' backgrounds indicate each person has the right experience to effectively guide the company (e.g., right
9
mix of industry, operations and business environment)?
Does the board makeup and structure enable effective oversight (e.g., role of independent directors, a charter that describes
10
responsibilities for this oversight among the committees, etc.)?
Do board oversight activities facilitate setting the right tone, clear expectations, active challenging of management, and ability
11
to effectively monitor risk management?
12 Has the board advised management of business scenarios they need to contemplate in their planning process?
13 Does the board understand management's capabilities to execute its strategy within the organization's risk appetite?
Does the board take substantive steps to understand the company's significant risk exposures or is it just engaged in
14
occasional ad hoc and reactive treatment of risk and risk management in the boardroom?
Do the reports submitted to the board provide transparency about the largest risk exposures throughout the organization,
15
including the risks undertaken by different business units and activities?
I MANAGEMENT QUESTIONS
Do you understand the significant uncertainties, or soft spots, inherent in the organization's strategies for achieving its business
1
objectives and performance goals?
2 Have you communicated these uncertainties to the board?
3 Are you highly confident that the organization is managing all potentially significant business risks?
4 Is there an enterprise-wide process in place to identify and prioritize risks?
5 Do you periodically revisit risk assessments to determine whether there are changes?
Is there an effective oversight structure established to clarify roles, responsibilities and accountabilities with respect to
6
management?

Source: www.knowledgeleader.com ERM Questionnaire 2

 Enterprise Risk Management Questionnaire
NO. ASSESSMENT QUESTION YES NO NA COMMENT ACTION PLAN NEEDED? ACTION PLAN
Is there an effective oversight structure established to ensure that improvements in risk management capabilities are on
7
schedule?
Have you self-assessed the company's ERM quality using the applicable credit rating service criteria (e.g., the S&P
8
components) to ascertain whether any gaps exist?
8.a If gaps do exist, have you developed an action plan to improve risk management capabilities on a timely basis?
8.b Do you know what the priority risks are?
8.c Have you compared the list of risks against the key risks S&P identify for the industry?
8.d Have you considered emerging risks and the organization's ability to avoid losses in excess of established tolerances?
Have you evaluated both the design and operating effectiveness of the policies, infrastructure and methodologies underling the
8.e
ERM process? If so, have you shared the results with the board?
With respect to the priority risks, are they owned by someone or by some committee, function or unit empowered to act with
8.f
clear accountability for results?
8.g Are these risks managed against established risk tolerances with the intent to reduce exposure to unexpected losses?
Do you know what the largest risk exposures facing the company are? For example, is anyone engaged in activities that are, in
9 effect, "betting the company" or putting its reputation at risk? If so, do you involve the board in assessing them and the actions
to take?
Do you involve the board in the assessment of strategic business risks, including the decisions as to which ones to accept and
10
which ones to reject?
Do you periodically revisit your risk assessment to determine whether the circumstances and conditions have changes or
11
whether there are new emerging risks?
Is effective accountability for the largest risk exposures established through a clear policy structure and effectively designed
12
procedures, metrics, measures and monitoring?
Does management make it clear to everyone that the violation of established policies and limits related to the largest risk
13
exposures is subject to disciplinary action?
14 Is there an effective escalation process to ensure that problems are recognized and addressed before they start?
Are you satisfied that individuals within the organization are willing to contact those above them in order to warn them of the
15
problem?
15.a In this regard, does the organization have an open, risk-aware culture?
J COMMON RISK MANAGEMENT FAILURE EVALUATION QUESTIONS
Evaluate whether the organization is facing any of the following key indicators of these common risk management
failures.
1 Common Failure: Poor governance and "tone at the top"
A dominant chief executive ignores the warning signs posted by risk management and resists bad news or facts suggesting his
1.a
or her strategy is not working.
1.b Management does not understand the nature of the risks undertaken by the organization.
Risk is not considered explicitly by management when evaluating whether to enter new markets, introduce new products or
1.c
consummate a complex acquisition or investment.
1.d Management does not involve the board with strategic issues and policy matters in a timely manner.
1.e There is ineffective or nonexistent communication or risk information, up down and across the organization.
2 Common Failure: Reckless risk taking
Responsibility for risk management is not adequately defined or linked to the reward system or, worse, the incentive
2.a
compensation program rewards unbridled risk taking.
2.b There are "star performers" who are making a great deal of money but no one understands how.
2.c There are large, unknown risk exposures representing "ticking time bombs" and management is not aware of them.
2.d The board is not providing sufficient oversight.
2.e There are significant conflicts of interest in complex, volatile and/or difficult-to-measure areas.
3 Common Failure: Inability to implement ERM
3.a Lack of executive management support and involvement of the right people.
3.b Lack of clarity as to the business motivation, leading to endless dialogue about the "what" and "why."
3.c Lack of traction due to delegation of initiative to lower levels in the organization.
3.e Viewing the existing risk management silo functions as "ERM" since they cover the risks.
3.f An ERM initiative that is neither enterprise-wide in scope nor strategic in focus.
3.g Noncompliance with the organization's risk management policy.
4 Common Failure: Nonexistent, ineffective or inefficient risk assessment
4.a Multiple risk assessments besiege the entity's process and functional owners due to a silo mentality.
4.b Risk management silos and the lock of a process view allow significant risk issues to go unnoticed.
4.c General counsel inhibits the risk assessment process with concerns over risk documentation.
4.d Periodic risk assessments rarely impact business plans and decisions.
5 Common Failure: Falling prey to a "herd mentality"
Management continues to execute the same strategy and business model, regardless of whether market conditions suggest
5.a
the assumption underling the strategy may be invalid.

Source: www.knowledgeleader.com ERM Questionnaire 3

 Enterprise Risk Management Questionnaire
NO. ASSESSMENT QUESTION YES NO NA COMMENT ACTION PLAN NEEDED? ACTION PLAN
5.b Management approaches the planning and budgeting process with a single-point estimate or view of the future.
5.c Alternative scenarios are rarely considered in periodic stress test of financial models.
The organization is too insular in its outlook, leading it to not "reality test" its assumptions about markets and the operating
5.d
environment regularly.
6 Common Failure: Misunderstanding the "if you can't measure it, you can't manage it" mindset
6.a Confusing qualitative risk maps with "risk-measurement."
6.b Existence of large risk exposures for which there is little data and information.
6.c Lack of a continuous-improvement mindset in risk management and, in particular, risk measurement.
6.d Management believes that risk measurement and risk management are the same thing.
6.e Confusing "data with "information."
7 Common Failure: Accepting a lack of transparency in high-risk areas
7.a Unexpected surprises occur from time-to-time as a result of previously unknown risks.
7.b Performance is evaluated after the fact, due to the lack of analytical tools and leading KPIs and KRIs.
An enterprise-wide risk view is inhibited due to a high level of decentralized decision-making, risk management silos and
7.c
ineffective oversight.
7.d Directors desire greater transparency in order to size exposure to risk and are not getting it.
8 Common Failure: Not Integrating risk management with strategy-setting and performance management
8.a Poor alignment of risk responses with strategy and enterprise performance management.
8.b No connection of risk management to core management processes.
8.c No effort to anticipate risk scenarios that could detail execution of the strategy.
8.d Unacceptable risk-taking or unnecessary risk-averse activity.
9 Common Failure: Ignoring the dysfunctionalities and "blind spots" of the organization's culture
9.a Rewards for extreme entrepreneurial risk-taking.
9.b Pressures to achieve unrealistic targets, executive resistance to bad news and internal competition fostering a warrior culture.
9.c Tolerance for obvious conflicts of interests.
9.d Inadequate linkage between risk management and priority business issues.
9.e Gaps and overlaps in risk management responsibilities.
10 Common Failure: Not involving the board in a timely manner
10.a The board is only engaged in occasional and hot treatment of risk and risk management.
10.b Management informs the board after the fact when significant risks are undertaken.
10.c Directors are not fully knowledgeable of the priority business risks facing the company.
10.e The organization's risk profile is rarely, if ever, discussed at the board level.
K TRADING ACTIVITIES AND USE OF DERIVATIVES
If the company engages in significant trading activities or uses derivatives in a significant way, is the financial and risk
1
management strategy clear?
1.a Are the objectives clear (e.g., does the program exist to hedge exposures or generate profits)?
1.b Are the hedging strategies effectively articulated, including the particular instruments allowed?
1.c Are liquidity implications reported upon and well understood, including contingency planning?
1.d Is there a limit structure that specifies management's risk tolerance?
Is there an exit strategy articulating the level of maximum acceptable loss and with a process in place to unwind the positions if
1.e
the limit is hit?
1.f Is it clear who is authorized to execute transactions?
Have the responsibilities of risk oversight personnel been defined, and do they have the appropriate backgrounds to ensure
1.g
that trading and derivative risks are well understood?
Are sufficient controls in place, including segregation of duties around executing transactions, access controls, settling
1.h
transactions and valuing positions?
1.i Are counterparty risks periodically reviewed, defined and well understood?
1.j Is there adequate and consistent periodic reporting on the risks, based on marketing the portfolios to the market?

Source: www.knowledgeleader.com ERM Questionnaire 4