CIA -part 3 ISO 31000 RM

Assessing the adequacy of Risk Management using ISO 31000

Terms in this set (...)

The Standards Definition of RM
It is the process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the acheivement of the organization's objectives
COSO definition of RM
It is a process effected by in entitiy's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that make may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
ISO 31000
States that the success of risk management will depend on the effectiveness of management framework providing the foundation and arrangement that will embed throughout the organization at all levels. A risk management framework refers to the components and organization of risk management within an entity
IA assessment of RM
- organizational objectives support and align with the organization's mission
- significant risk are identified and assessed
- appropriate risk responses are selected that aligns risk with the organization's risk appetite
- relevant risk information is captured and communicate in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
ISO 31000 definition of RM
A set of components that provided the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization
RM framework
It is inherently embedded in an organization's overall strategic and operational policies and practices; allow for the building of a risk-smart workforce and environment while still allowing for responsible risk-taking and innovation
Organizational arrangements
This includes plans, relationships, accountabilities, resources, processes, and activities
Risk attitude
An organization's approach to assess and eventually pursue, retain, take or turn away from risk
Management responsibility of RM
Setting the organizational attitude regarding risk and provide that organizations communicate levels of risk through quarterly and annual reports, press releases, investor calls
Board responsibility of RM
Determine the risk attitude is aligned with the best interest of shareholders, provide government oversight of ERM it should understand key elements of ERM, ask management about risk, and concur on certain management decisions; ensures the risks are managed and that there is an adequate risk management system in place.
Stakeholders responsibility of RM
Should be given sufficient information to understand the risk attitude of management and the board in order to invest in accordance with their tolerances for potential variation and performance
Monitoring of RM
Can be done in two ways: through ongoing activities or separate evaluations. Management needs to determine whether the ERM components continue to be relevant and able to address new risks. The greater the degree and effectiveness of ongoing monitoring, the less the need there may be for separate evaluations
Need for assurance
Arises from the governance processes of an organization. It's origin is in the stewardship relationship between the board of an organization and its stakeholders.
IA responsibility for RM
Must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. Provide independent in objective assurance to the organizations board regarding the effectiveness of an organization's ERM activities
Risk management purpose
It is a management process that promotes the cost effective achievements of organizational objectives; Assurance provides reliable information about the achievements of risk management activity.
IA assessment of the RM process
-The risk management process has been applied appropriately and all elements of the process are suitable and sufficient
-The risk management process is in keeping with the strategic need intent of the organization
All significant risks have been identified and are being treated
-Controls are being correctly designed in keeping with the objectives of the risk management process
-Critical controls are adequate and effective
-Review by line management and other non-audit assurance activities are effective at maintaining and improving controls
-Risk treatment plans are being executed
-There is appropriate and as-reported progress in the risk management plan
Risk management process
- establish an organization-specific, documented risk management framework
- provide a structured analysis of the risk of the organization recording:
~ The organizational objectives and their associated risk
~. Potential exposures in assessment of current risk
~ The organizational position responsible for managing each risk and the key control systems establish to manage each risk
IA review of RM
-Assurance on the risk management process itself
-assurance on significant risk management assertions
-Follow up of risk treatment plans
Assurance process forms
Process elements approach
Key principles approach
Maturity model approach

Each offer a different perspective on the effectiveness of a risk management process in an organization, it must be tailored to the org's needs
Process element approach
ISO identifies 7 components to determine whether each element of the risk management process is in place
7 components of RM process
Setting the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Monitor and review
Key principles approach
To be fully effective, RM process must satisfy a minimum set of principles or characteristics
Maturity model approach
Builds on the assertion that the quality of an organization's RM process should improve with time. Performance against measurement plan is monitored to report to senior management.
RM creates and protects value
This implies the application of the most rigorous risk management when the value at stake is highs. It also suggest that a range of techniques applicable a various levels of exposure should be available in the organization.
RM is an integral part of organizational processes
Risk management should not be seen as in add-on task.