Click the card to flip 👆
1 / 158
Terms in this set (158)
Risk management processes include
(1) identification of context,
(2) risk identification,
(3) risk assessment and prioritization (i.e., risk analysis),
(4) risk response, and
(5) risk monitoring.

Management must focus on risks at all levels of the entity and take the necessary action to manage them.
All risks that could affect achievement of objectives must be considered.
Risk identification should be performed at every level of the entity (entity-level, division, business unit) relevant to the identified context(s).

Examples of external risk factors at the entity level include technological changes and changes in customer wants and expectations.

Examples of internal risk factors at the entity level include
- Interruptions in automated systems,
- The quality of personnel hired, and
- The level of training provided.
Some occurrences may be inconsequential at the entity level but disastrous for an individual unit. Risk identification should consider past events (trends) and future possibilities.

Methods used include the following:
1. Event inventories.
2. Questionnaires and surveys.
3. Leading event indicators and escalation triggers.
4. Facilitated workshops and interviews.
5. Process flow analysis.
6. Loss event data methodologies.

Other methods for identifying risks are
- Brainstorming,
- SWOT (strengths, weaknesses, opportunities, and threats) analysis, and
- Scenario analysis (what-if analysis).
Leading event indicators are measures that provide insight into potential events.

An escalation trigger, also known as a threshold trigger, is a condition that a leading event indicator must satisfy before the potential event is escalated to management.

For example,
- Potential event: Manufacturing equipment breakdown, resulting in decreases in production
- Leading event indicator: Maintenance requests
- Escalation trigger: Two maintenance requests outside of regularly scheduled maintenance within a 3-month period
Facilitated workshops and interviewsA facilitator leads a discussion group consisting of management, staff, or other stakeholders through a structured process of conversation and exploration about potential events.Process flow analysisA single business process, such as vendor authorization and payment, is studied in isolation to identify the events that affect its inputs, tasks, responsibilities, and outputs.Loss event data methodologiesThe losses associated with adverse events in the past can be used to make predictions. An example is matching workers' compensation claims with the frequency of accidents.Step 3 - Risk assessment and prioritizationThe risk assessment process may be formal or informal. It involves (a) assessing the significance of an event, (b) assessing the event's likelihood, and (c) considering the means of managing the risk. The results of assessing the likelihood and impact of the risk events identified are used to prioritize risks and produce decision-making information. Risk assessment methods may be qualitative or quantitative.Qualitative Methods for Risk AssessmentQualitative methods include (1) lists of all risks, (2) risk rankings, and (3) risk maps. - Heat maps present risk levels by color. Risks that have the same likelihood (e.g., remote, unlikely, possible, likely, or certain) and impact (e.g., negligible, low, medium, high, or extreme), or that fall in the same range of severity (i.e., combined assessment of likelihood and impact), are assigned the same color. - Matrix risk maps plot risks on a chart with a likelihood on one axis and an impact on the other axis.Quantitative Methods for Risk AssessmentQuantitative methods include probabilistic models. For example, some organizations focus on earnings at risk by examining how variables influence earnings.Risk ModellingRisk modeling is a method of risk assessment and prioritization. - Risk modeling ranks and validates risk priorities when setting the priorities of engagements in the audit plan. - Risk factors may be weighted based on professional judgments to determine their relative significance, but the weights need not be quantified. - Open channels of communication with senior management and the board are necessary to ensure the audit plan is based on the appropriate risk assessments and audit priorities. The audit plan should be reevaluated as needed. - Risk modeling in a consulting service is done by ranking the engagement's potential to (1) improve management of risks, (2) add value, and (3) improve the organization's operations. -- Senior management assigns a weight to each item based on organizational objectives. -- The engagements with the appropriate weighted values are included in the annual audit plan.Step 4 - Risk ResponseRisk responses are the means by which an organization elects to manage individual risks. Each organization selects risk responses that align risks with the organization's risk appetite (the level of risk the organization is willing to accept). Controls are actions taken by management to manage risk and ensure risk responses are carried out. Control risk is the risk that controls fail to effectively manage controllable risks. Residual risk is the risk that remains after risk responses are executed. In large or complex entities, senior management may appoint a risk committee to (a) review the risks identified by the various operating units and (b) create a response plan. All personnel must be aware of the importance of the risk response appropriate to their levels of the entity.Step 5 - Risk MonitoringRisk monitoring (a) tracks identified risks, (b) evaluates current risk response plans, (c) monitors residual risks, and (d) identifies new risks. The two most important sources of information for ongoing assessments of the adequacy of risk responses (and the changing nature of the risks) are - Those closest to the activities. The manager of an operating unit is in the best position to monitor the effects of the chosen risk response strategies. - The audit function. Operating managers may not always be objective about the risks facing their units, especially if they helped design a particular response strategy. Analyzing risks and responses are among the normal responsibilities of internal auditors.Responsibility for Aspects of Organizational Risk ManagementRisk management is a key responsibility of senior management and the board. - Boards have an oversight function. They determine that risk management processes are in place, adequate, and effective. - Management ensures that sound risk management processes are functioning. - The internal audit activity may be directed to examine, evaluate, report, or recommend improvements. It also has a consulting role in identifying, evaluating, and implementing risk management methods and controls.Board/Senior Management Responsibility for Risk ManagementSenior management and the board determine the internal audit activity's role in risk management based on factors such as (1) organizational culture, (2) abilities of the internal audit activity staff, and (3) local conditions and customs. That role may range from no role; to auditing the process as part of the audit plan; to active, continuous support and involvement in the process; to managing and coordinating the process. - But assuming management responsibilities and the threat to internal audit activity independence must be fully discussed and board-approved.CAE Responsibility for Risk ManagementThe CAE must understand management's and the board's expectations of the internal audit activity in risk management. The understanding is codified in the charters of the internal audit activity and the board. If the organization has no formal risk management processes, the CAE has formal discussions with management and the board about their obligations for understanding, managing, and monitoring risks.Characteristics of Risk Management ProcessRisk management processes may be formal or informal, quantitative or subjective, or embedded in business units or centralized. They are designed to fit the organization's culture, management style, and objectives. For example, a small entity may use an informal risk committee. The internal audit activity determines that the methods chosen are comprehensive and appropriate for the organization.IA's Role in Risk Management - Interpretation StandardDetermining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that: - Organizational objectives support and align with the organization's mission; - Significant risks are identified and assessed; - Appropriate risk responses are selected that align risks with the organization's risk appetite; and - Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both.IA's Role in Risk Management - Implementation StandardThe internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the: - Achievement of the organization's strategic objectives; - Reliability and integrity of financial and operational information; - Effectiveness and efficiency of operations and programs; - Safeguarding of assets; and - Compliance with laws, regulations, policies, procedures, and contracts. The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.Risk Management Steps for IA and CAEIn accordance with IG 2120, Risk Management, the CAE and internal auditors should: 1. Obtain a clear understanding of the organization's - Risk appetite. - Business missions and objectives. - Business strategies. - Risks identified by management. Risks may be financial, operational, legal or regulatory, or strategic. - Current risk management environment and prior corrective actions. - Means of identifying, assessing, and overseeing risks. 2. Consider risk management frameworks and models and IG 2100, Nature of Work. 3. Consider the characteristics of the organization. Examples are size, life cycle, maturity, stakeholders, environment, and changes in that environment (e.g., new management or products). 4. Review the maturity of the organization's risk management process and determine the reliance on management's risk assessment. 5. Have an established process for planning, auditing, and reporting risk management issues.Maturity of Risk Management ProcessThe IIA's Practice Guide, Assessing the Risk Management Process, contains a risk management maturity model for measuring an organization's risk management maturity. The maturity level of risk management can be measured using various elements, including risk culture, risk governance, and risk management process. Elements may have different maturity levels. For example, an organization's risk culture may be at the defined maturity level, but risk governance and risk management process may be at the repeatable maturity level. Not every organization must reach the highest maturity level. Operating below the optimized maturity level may be acceptable. Each organization should decide its own optimal maturity level according to its unique needs and circumstances.Risk Management Maturity ModelThe risk management maturity model consists of the following maturity levels, presented in order of maturity: (a) initial, (b) repeatable, (c) defined, (d) managed, and (e) optimized.Mature Risk Management CharacteristicsThe common characteristics of a mature risk management (i.e., at the optimized maturity level) can be described as follows: - Risk culture - Risk governance - Risk management processRisk CultureRisk is considered and built into decision-making, objective-setting, and compensation structure.Risk GovernanceAcross the organization, personnel who are competent and skilled participate in the risk management process.Risk Management ProcessAssessment, treatment, monitoring, and reporting of risk are aggregated across the organization.Implementing Standard 21201. CAE The CAE should speak with the board and senior management about risk appetite, risk tolerance, and risk management.After reviewing the strategic plan, business plan, and policies, the CAE may determine whether strategic objectives align with the mission, vision, and risk appetite. Mid-level managers may give insight into alignment at the business-unit level. 2. The internal audit activity - Alerts management to new risks or inadequately mitigated risks - Provides recommendations and action plans for risk responses - Evaluates risk management processes 3. Internal auditors review risk assessments by senior management, external auditors, and regulators. The purpose is to learn how the organization identifies, addresses, and determines the acceptability of risks. The responsibilities and risk processes of the board and key managers also are evaluated. 4. The internal audit actively performs its own risk assessments. - The discussions with the board and management permit alignment of recommended risk responses with the risk appetite. - An established framework (e.g., COSO or ISO 31000) may be used for risk identification. - (1) New developments in the industry and (2) processes for monitoring, assessing, and responding to risks (or opportunities) may be researched. 5. The foregoing procedures allow internal auditors to perform gap analyses (whether risks are identified and assessed adequately). 6. Internal auditors should identify risks and corresponding responses. "For example, management may choose to accept risk, and the CAE would need to determine whether the decision is appropriate, according to the organization's risk appetite or risk management strategy. If the CAE concludes that management has accepted a level of risk that may be unacceptable . . ., the CAE must discuss the matter with senior management and may need to communicate the matter to the board." 7. If management uses a risk mitigation strategy, "the internal audit activity may evaluate the adequacy and timeliness of remedial actions" by "reviewing the control designs and testing the controls and monitoring procedures." 8. "To assess whether relevant risk information is captured and communicated timely across the organization, internal auditors may interview staff at various levels and determine whether the organization's objectives, significant risks, and risk appetite are . . . understood throughout the organization. Typically, the internal audit activity also evaluates the adequacy and timeliness of . . . risk management results. The internal audit activity may review board minutes to determine whether the most significant risks are communicated timely to the board and whether the board is acting to ensure that management is responding appropriately." 9. The internal audit activity also should - Ensure management of its risks (e.g., audit failure, false assurance, and damage to reputation) and - Monitor all corrective actions.Conformance with Standard 21201. The internal audit charter and audit plan are relevant documents. 2. Also relevant are minutes of meetings in which the elements of the standard (e.g., recommendations by the internal auditors) were discussed with the board, senior management, task forces, and committees. 3. Internal audit risk assessments and action plans demonstrate evaluation and improvement.Risk Management for Consulting Engagements by IA- During consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks. - Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes. - When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.COSO Risk Management FrameworkEnterprise Risk Management - Integrating with Strategy and Performance (COSO ERM framework) is a framework that complements, and incorporates some concepts of, the COSO internal control framework. The COSO ERM framework provides a basis for coordinating and integrating all of an organization's risk management activities.Effective Integration- Improves decision making and - Enhances performance.Enterprise Risk ManagementERM is based on the premise that every organization exists to provide value for its stakeholders. Accordingly, ERM is defined as The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.CultureCulture consists of "[t]he attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.MissionMission is the organization's core purpose.VisionVision is the organization's aspirations for what it intends to achieve over time.Core ValuesCore values are the organization's essential beliefs about what is acceptable or unacceptable.CapabilitiesCapabilities are the skills needed to carry out the entity's mission and vision.PracticesPractices are the collective methods used to manage risk.Integrating strategy setting and performanceRisk must be considered in setting strategy, business objectives, performance targets, and tolerance. The organization considers the effect of strategy on its risk profile and portfolio view.StrategyStrategy communicates how the organization will (a) achieve its mission and vision and (b) apply its core values.Business ObjectivesBusiness objectives are the steps taken to achieve the strategy.ToleranceTolerance is the range of acceptable variation in performance results. (This term is identical to "risk tolerance" in the COSO internal control framework.)Risk ProfileRisk profile is a composite view of the types, severity, and interdependencies of risks related to a specific strategy or business objective and their effect on performance. A risk profile may be created at any level (e.g., entity, division, operating unit, or function) or aspect (e.g., product, service, or geography) of the organization.Portfolio ViewPortfolio view is similar to a risk profile. The difference is that it is a composite view of the risks related to entity-wide strategy and business objectives and their effects on entity performance.RiskRisk is "[t]he possibility that events will occur and affect the achievement of strategy and business objectives."OpportunityOpportunity is any action or potential action that creates or alters goals or approaches for the creation, preservation, or realization of value.Reasonable ExpectationEffective ERM practices provide reasonable expectation (not absolute assurance) that the risk assumed is appropriate.Risk InventoryRisk inventory consists of all identified risks that affect strategy and business objectives.Risk CapacityRisk capacity is the maximum amount of risk the organization can assume.Risk AppetiteRisk appetite consists of the amount and types of risk the organization is willing to accept in pursuit of value.Inherent RiskInherent risk is the risk in the absence of management actions to alter its severity.Actual Residual RiskActual residual risk remains after management actions to alter its severity.Risk ResponseRisk response is an action taken to bring identified risks within the organization's risk appetite.Residual Risk ProfileA residual risk profile includes risk responses.Target Residual RiskTarget residual risk is the risk the entity prefers to assume knowing that management has acted or will act to alter its severity.ValueValue is: 1. Created when the benefits obtained from the resources used exceed their costs. 2. Preserved when the value of resources used is sustained. 3. Realized when benefits are transferred to stakeholders. 4. Eroded when management's strategy does not produce expected results or management does not perform day-to-day tasks.Board Role in ERMThe board provides risk oversight of ERM culture, capabilities, and practices. Certain board committees may be formed for this purpose. Examples are: 1. An audit committee (often required by regulators), 2. A risk committee that directly oversees ERM, 3. An executive compensation committee, and 4. A nomination or governance committee that oversees selection of directors and executives.Management Role in ERMManagement has overall responsibility for ERM and is generally responsible for the day-to-day managing of risk, including the implementation and development of the COSO ERM framework. Within management, the CEO has ultimate responsibility for ERM and achievement of strategy and business objectives.Risk OfficerAn organization may designate a risk officer as a centralized coordinating point to facilitate risk management across the entire enterprise. This risk officer is commonly referred to as a centralized coordinator.Three Lines of Management Accountability1. The first line consists of the principal owners of risk. They manage performance and risks taken to achieve strategy and objectives. 2. The second line consists of the supporting (business-enabling) functions, e.g., a risk officer or centralized coordinator. This level of management provides guidance on performance and ERM requirements, evaluates adherence to standards, and challenges the first line to take prudent risks. 3. The third line is the assurance function: internal auditing. The internal auditor audits (or reviews) ERM, identifies issues and improvements, and informs the board and executives of matters needing resolution.Components of COSO ERM FrameworkThe COSO ERM framework consists of five interrelated components. Twenty principles are distributed among the components. Supporting aspect components are: 1. Governance and culture and 2. Information, communication, and reporting. The common process components are: 1. Strategy and objective-setting, 2. Performance, and 3. Review and revision.Governance vs. CultureGovernance sets the organization's tone and establishes responsibilities for ERM. Culture relates to the desired behaviors, values, and overall understanding about risk held by personnel within the organization. Five principles relate to governance and culture.Risk OversightThe board exercises risk oversight. The full board ordinarily is responsible for risk oversight. However, the board may delegate risk oversight to a board committee, such as a risk committee. Management generally has day-to-day responsibility for managing performance and risks taken to achieve strategy and business objectives. The board's oversight role may include, but is not limited to, - Reviewing and challenging decisions related to strategy, risk appetite, and significant business decisions (e.g., mergers and acquisitions). - Approving management compensation. - Participating in stakeholder relations. Risk oversight is most effective when the board - Has the necessary skills, experience, and business knowledge to (a) understand the organization's strategy and industry and (b) maintain this understanding as the business context changes. - Is independent of the organization. - Determines whether ERM capabilities and practices enhance value. - Understands the organizational biases (e.g., a tendency for excessive risk avoidance or risk taking) influencing decision making and challenges management to minimize them.Operating StructuresThe organization establishes operating structures. They describe how the entity is organized and carries out its day-to-day operations.Legal StructureThe legal structure determines how the entity operates (e.g., as a single legal entity or as multiple, distinct legal entities).Management StructureThe management structure establishes reporting lines (e.g., direct reporting versus secondary reporting), roles, and responsibilities. Management is responsible for clearly defining roles and responsibilities.Evaluating Operating StructuresFactors to consider when establishing and evaluating operating structures include the entity's - Strategy and business objectives, including related risks. - Nature, size, and geographic distribution. - Assignment of authority, accountability, and responsibility at all levels. - Types of reporting lines and communication channels. - Reporting requirements (e.g., financial, tax, regulatory, and contractual).Defining CultureThe organization defines the desired culture. The board and management are responsible for defining culture. Culture is shaped by internal and external factors.Culture: Internal FactorsInternal factors include (a) the level of judgment and autonomy allowed to personnel, (b) standards and rules, and (c) the reward system in place.Culture: External FactorsExternal factors include (a) legal requirements and (b) expectations of stakeholders (e.g., customers and investors).Culture SpectrumThe organization's definition of culture determines its placement on the culture spectrum, which ranges from risk averse to risk aggressive.Commitment to Core ValuesThe organization demonstrates commitment to core values. - The organization's core values should be reflected in all its actions and decisions. - The tone of the organization is the manner in which core values are communicated across the organization. - When risk-aware culture and tone are aligned, stakeholders have confidence that the organization is abiding by its core values.Tone of the OrganizationThe tone of the organization is the manner in which core values are communicated across the organization.Human CapitalThe organization attracts, develops, and retains capable individuals. Management is responsible for defining the human capital necessary (the needed competencies) to achieve strategy and business objectives.Human ResourcesThe human resources function assists management in developing competency requirements through processes that attract, train, mentor, evaluate, reward, and retain competent individuals.Contingency PlansContingency plans should be developed to prepare for succession. Such plans train selected personnel to assume responsibilities vital to ERM. An example is training a risk manager to assume the position of risk officer.Strategy and Objective SettingStrategy must support the organization's mission, vision, and core values. The integration of ERM with strategy setting helps to understand the risk profile related to strategy and business objectives. Four principles relate to strategy and objective setting.Business ContextThe organization analyzes business context and its effect on the risk profile. Business context pertains to the relationships, events, trends, and other factors that influence the organization's strategy and business objectives. Accordingly, business context includes the organization's internal and external environments. The effect of business context on the risk profile may be analyzed based on past, present, and future performance.Business Context: Internal EnvironmentThe internal environment consists of factors related to four categories: (a) capital (e.g., assets), (b) people (e.g., skills and attitudes), (c) processes (e.g., tasks, policies, and procedures), and (d) technology (e.g., adopted technology).Business Context: External EnvironmentThe external environment consists of factors related to the following six categories: (a) political (government intervention and influence), (b) economic (e.g., interest rates and availability of credit), (c) social (e.g., consumer preferences and demographics), (d) technological (e.g., R&D activity), (e) legal (laws, regulations, and industry standards), and (f) environmental (e.g., climate change).Business Context CharacteristicsBusiness context may be 1. Dynamic. New, emerging, and changing risks can appear at any time (e.g., low barriers of entry allow new competitors to emerge). 2. Complex. A context may have many interdependencies and interconnections (e.g., a transnational company has several operating units around the world, each with unique external environmental factors). 3. Unpredictable. Change occurs rapidly and in unanticipated ways (e.g., currency fluctuations).Defining Risk AppetiteThe organization defines risk appetite (the amount of risk it is willing to accept in pursuit of value). The organization considers its mission, vision, culture, prior strategies, and risk capacity (the maximum risk it can assume) to set its risk appetite. In setting risk appetite, the optimal balance of opportunity and risk is sought. Risk appetite is rarely set above risk capacity. Risk appetite may be expressed qualitatively (e.g., low, moderate, high) or quantitatively (e.g., as a percentage of a financial amount). But it should reflect how risk assessment results are expressed. The board approves the risk appetite, and management communicates it throughout the organization.Alternative StrategiesThe organization evaluates alternative strategies and their effects on the risk profile. Approaches to evaluating strategy include SWOT (Strengths-Weaknesses-Opportunities-Threats) analysis, competitor analysis, and scenario analysis. The organization must evaluate The strategy's alignment with its mission, vision, core values, and risk appetite and the implications of the chosen strategy (its risks, opportunities, and effects on the risk profile). Strategy should be changed if it fails to create, realize, or preserve value.Defining Business ObjectivesThe organization establishes business objectives that align with and support strategy. Business objectives are 1. Specific, 2. Measurable, 3. Observable, and 4. Obtainable. Business objectives may relate to, among others, financial performance, operational excellence, or compliance obligations. Performance measures, targets, and tolerances (the range of acceptable variation in performance) are established to evaluate the achievement of objectives.PerformancePerformance relates to ERM practices that support the organization's decisions in pursuit of value. Those practices consist of identifying, assessing, prioritizing, responding to, and developing a portfolio view of risk. Five principles relate to performance. 1. The organization identifies risks that affect the performance of strategy and business objectives. 2. The organization assesses the severity of risk. Severity is a measure of such considerations as impact, likelihood, and the time to recover from events. 3. The organization prioritizes risks at all levels. 4. The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated. Risks should be managed within the business context and objectives, performance targets, and risk appetite. 5. The organization develops and evaluates its portfolio view of risk.Identifying RiskThe organization should identify risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives. New, emerging, and changing risks are identified. Examples are risks resulting from changes in business objectives or the business context. The organization also identifies opportunities. These are actions or potential actions that create or alter goals or approaches for the creation, preservation, or realization of value. They differ from positive events, occurrences in which performance exceeds the original target. Risk and opportunity identification should be comprehensive across all levels and functions of the entity.Risk Identification MethodsRisk identification methods and approaches include - Day-to-day activities (e.g., budgeting, business planning, or reviewing customer complaints), - Simple questionnaires, - Facilitated workshops, - Interviews, or - Data tracking.Risk InventoryThe risk inventory consists of all risks that could affect the entity.Severity of RiskThe organization assesses the severity of risk. Severity is a measure of such considerations as impact, likelihood, and the time to recover from events. Common measures of severity include combinations of impact and likelihood.ImpactImpact is the result or effect of the risk. Impact may be positive or negative.LikelihoodLikelihood is the possibility that an event will occur. Likelihood may be expressed qualitatively (e.g., a remote probability), quantitatively (e.g., a 75% probability), or in terms of frequency (e.g., once every 6 months).Time HorizonThe time horizon to assess risk should be identical to that of the related strategy and business objective. For example, the risk affecting a strategy that takes 2 years to achieve should be assessed over the same period.Risk Assessment LevelsRisk is assessed at multiple levels (e.g., entity, division, operating unit, and function) of the organization and linked to the related strategy and business objective. The severity of a risk may vary across levels. For example, a risk with high severity at the operating unit level may have low or moderate severity at the entity level.Qualitative Methods for Assessing RiskQualitative methods are more efficient and less costly than quantitative methods. Examples are interviews, surveys, and benchmarking.Quantitative Methods for Assessing RiskQuantitative methods are more precise than qualitative methods. Examples are decision trees, modeling (probabilistic and nonprobabilistic), and Monte Carlo simulation.Reassessing SeverityThe organization should reassess severity whenever triggering events occur, such as changes in business context and risk appetite. The risk assessment should consider inherent risk, target residual risk, and actual residual risk. Assessment results may be presented using a heat map, which highlights the relative severity of each risk. The warmer the color, the more severe the risk.Prioritizing RiskThe organization prioritizes risks at all levels. Risk prioritization enables the organization to optimize the allocation of its limited resources. In addition to severity (e.g., impact and likelihood), the following factors are considered when prioritizing risks: - Agreed-upon criteria - Risk appetite - The importance of the affected business objective(s) - The organizational level(s) affectedAgreed-upon CriteriaAgreed-upon criteria are used to evaluate the characteristics of risks and to determine the entity's capacity to respond appropriately. Higher priority is given to risks that most affect the criteria. Example criteria include the following: - Complexity - Velocity - Persistence - Adaptability - RecoveryComplexityComplexity is the nature and scope of a risk, e.g., interdependence of risks.VelocityVelocity is the speed at which a risk affects the entity.PersistencePersistence is how long a risk affects the entity, including the time it takes the entity to recover.AdaptabilityAdaptability is the entity's capacity to adjust and respond to risks.RecoveryRecovery is the entity's capacity (not the time) to return to tolerance.Higher Priority RiskHigher priority also is assigned to risks that - Approach or exceed risk appetite, - Cause performance levels to approach the outer limits of tolerance, or - Affect the entire entity or occur at the entity level.Risk ResponseThe organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated. Risks should be managed within the business context and objectives, performance targets, and risk appetite.Five Categories of Risk Response1. Acceptance (retention) 2. Avoidance 3. Pursuit 4. Reduction (mitigation) 5. Sharing (transfer)AcceptanceNo action is taken to alter the severity of the risk. Acceptance is appropriate when the risk is within the risk appetite. This term is synonymous with self-insurance.AvoidanceAction is taken to remove the risk. Avoidance typically suggests no response would reduce the risk to an acceptable level. For example, the risk of pipeline sabotage can be avoided by selling the pipeline.PursuitAction is taken to accept increased risk to improve performance without exceeding acceptable tolerance.ReductionAction is taken to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite. For example, the risk of systems penetration can be reduced by maintaining an effective information security function within the entity.SharingAction is taken to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners.Factors for Risk ResponseThe following are the factors considered in selecting and implementing risk responses: - They should be chosen for, or adapted to, the business context. - Costs and benefits should be proportionate to the severity of the risk and its priority. - They should further compliance with obligations (e.g., industry standards) and achievement of expectations (e.g., mission, vision, and stakeholder expectations). - They should bring risk within risk appetite and result in performance outcomes within tolerance. - Risk response should reflect risk severity.Control ActivitiesControl activities are designed and implemented to ensure risk responses are carried out.Portfolio View of RiskThe organization develops and evaluates its portfolio view of risk. The culmination of risk identification, assessment, prioritization, and response is the full portfolio view of risk. Using a portfolio view of risk, management determines whether the entity's residual risk profile (risk profile inclusive of risk responses) aligns with overall risk appetite. Qualitative and quantitative methods may be used to evaluate how changes in risk may affect the portfolio view of risk. - Qualitative methods include benchmarking, scenario analysis, and stress testing. - Quantitative methods include statistical analysis.Levels of Risk IntegrationThe following four risk views have different levels of risk integration: - Risk view (minimal integration). Risks are identified and assessed. Emphasis is on the event, not the business objective. - Risk category view (limited integration). Identified and assessed risks are categorized, e.g., based on operating structures. - Risk profile view (partial integration). Risks are linked to the business objectives they affect, and any dependencies between objectives are identified and assessed. For example, an objective of increased sales may depend on an objective to introduce a new product line. - Portfolio view (full integration). This composite view of risks relates to entity-wide strategy and business objectives and their effect on entity performance. At the top level, greater emphasis is on strategy. Thus, responsibility for business objectives and specific risks cascades through the entity.Review and RevisionThe organization reviews and revises its current ERM capabilities and practices based on changes in strategy and business objectives. Three principles relate to review and revision. 1. The organization identifies and assesses changes that may substantially affect strategy and business objectives.Changes in the organization's business context and culture are most likely to substantially affect strategy and business objectives. Such changes may result from changes in the organization's internal or external environment. Substantial changes in the internal environment include those due to rapid growth, innovation, and turnover of key personnel.Substantial changes in the external environment include those in the economy or regulations. 2. The organization reviews entity performance results and considers risk. Performance results that deviate from target performance or tolerance may indicate - Unidentified risks, - Improperly assessed risks, - New risks,Opportunities to accept more risk, or - The need to revise target performance or tolerance. 3. The organization pursues improvement of ERM.The organization must continually improve ERM at all levels, even if actual performance aligns with target performance or tolerance.Methods of identifying areas for improvement include continual or separate evaluations and peer comparisons (reviews of industry peers).Information, Communication & ReportingThe organization must capture, process, manage (organize and store), and communicate timely and relevant information to identify risks that could affect strategy and business objectives. Three principles relate to information, communication, and reporting. 1. The organization leverages its information systems to support ERM. 2. The organization uses communication channels to support ERM. 3. The organization reports on risk, culture, and performance at multiple levels and across the entity.Information SystemsThe organization leverages its information systems to support ERM. Information systems must be adaptable to change. As the organization adapts its strategy and business objectives in response to changes in the business context, its information systems also must change.Data and KnowledgeData are raw facts collectible for analysis, use, or reference. Information is processed, organized, and structured data about a fact or circumstance. Information systems transform data (e.g., risk data) into relevant information (e.g., risk information). Knowledge is data transformed into information. Information is relevant if it helps the organization be more agile in decision making, giving it a competitive advantage.Structured DataStructured data are generally well organized and easily searchable (e.g., spreadsheets, public indexes, or database files).Unstructured DataUnstructured data are unorganized or lack a predefined pattern (e.g., word processing documents, videos, photos, or email messages).Data ManagementData management practices help ensure that risk information is useful, timely, relevant, and of high quality. The following are the elements of effective data management: - Data and information governance - Processes and controls - Data management architectureData and Information GovernanceStandards are established for the delivery, quality, timeliness, security, and architecture of data. Roles and responsibilities also are defined for risk information owners and data owners.Processes and ControlsActivities are implemented to ensure established data standards are reinforced and corrections are made as necessary.Data Management ArchitectureInformation technology is designed that determines what data are collected and how the data are used.Communication ChannelsCommunications about risk. - Management communicates the organization's strategy and business objectives to internal (e.g., personnel and the board) and external (e.g., shareholders) stakeholders. - Communications between management and the board should include continual discussions about risk appetite. Channels and methods. - Organizations should adopt open communication channels to allow risk information to be sent and received both ways (e.g., to and from personnel or suppliers). - Communication methods include written documents (e.g., policies and procedures), electronic messages (e.g., email), public events or forums (e.g., town hall meetings), and informal or spoken communications (e.g., one-on-one discussions). - The board may hold formal quarterly meetings or call extraordinary meetings (special meetings to discuss urgent matters).Reporting on ERM1. The purpose of reporting is to support personnel in their - Understanding of the relationships among risk, culture, and performance. - Decision making related to (a) setting strategy and objectives, (b) governance, and (c) day-to-day operations. 2. Reporting combines qualitative and quantitative risk information, with greater emphasis on information that supports forward-looking decisions. 3. Management is responsible for implementing controls to ensure reports are accurate, complete, and clear. 4. The frequency of reporting is based on the severity and priority of the risk. 5. Reports on culture may be communicated, among other means, in surveys and lessons-learned analyses. 6. Key indicators of risk should be reported with key performance indicators to emphasize the relationship of risk and performance.Assessing ERMThe COSO ERM framework provides criteria for assessing whether the organization's ERM culture, capabilities, and practices together effectively manage risks to strategy and business objectives. When the components, principles, and supporting controls are present and functioning, ERM is reasonably expected to manage risks effectively and to help create, preserve, and realize value. - Present - FunctioningPresentPresent means the components, principles, and controls exist in the design and implementation of ERM to achieve objectives.FunctioningFunctioning means the components, principles, and controls continue to operate to achieve objectives.ISO 31000ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management.Principles of ISO 310001. Integrated. Risk management is integrated into all organizational activities. 2. Structured and comprehensive. The risk management approach needs to be structured and comprehensive. 3. Customized. The risk management framework and process should be customized to the organizational objectives. 4. Inclusive. Appropriate involvement of stakeholders enables informed risk management. 5. Dynamic. Risk management foresees, recognizes, and reacts to changing risks. 6. Best available information. Risk management considers past, current, and future information and any related limitations of such information. 7. Human and cultural factors. Human behavior and culture affect all facets and each level of risk management. 8. Continual improvement. Learning and experience constantly improve risk management.Risk Management FrameworkA risk management framework is a set of components that includes leadership and commitment, integration, design, implementation, evaluation, and improvement of risk management.Leadership and CommitmentThe board and senior management demonstrate leadership and commitment by implementing the framework's components; adopting a policy that establishes a risk management plan or approach; committing resources to risk management; and assigning accountability, authority, and responsibility at each organizational level.Integration of the FrameworkThe integration of the framework into all facets of an organization, including its objectives, structure, governance, and culture, is a dynamic process. All personnel in the organization are responsible for managing risks.Design of the FrameworkThe design of the framework involves the following: - Understanding the organization and its context - Articulating commitment to risk management - Assigning and communicating authorities, responsibilities, and accountabilities for risk management roles at all levels - Allocating resources (e.g., people, experience, processes, and information systems) to support risk management while recognizing the limitations of existing resources - Establishing communication and consultationImplementation of the FrameworkThe implementation of the framework can be achieved by developing a plan; identifying decision making processes; modifying decision making processes as change occurs; and ensuring stakeholders' understanding of, and engagement with, the organization's risk management arrangement.Evaluation of the FrameworkThe evaluation of the framework's effectiveness involves measuring performance against expectations.Improvement of the FrameworkThe improvement of the framework is through monitoring and updating the framework in response to changes, thereby enhancing organization performance.ISO Risk Management Process1. To improve understanding of risks and decisions made, communication to raise awareness and consultation to obtain feedback and information require ongoing, structured coordination with stakeholders. 2. The scope, context, and criteria should be established to customize risk management. This element includes defining the scope of the risk management process, understanding its external and internal context, and defining risk criteria. The context of the risk management process derives from the understanding of the specific external and internal environment of the organization. 3. Risk assessment is the process of identifying, analyzing, and evaluating risk. 4. Risk treatment is a repetitive process of selecting risk treatments (e.g., accept, avoid, reduce, share, or pursue), implementing the treatment, assessing the treatment's effectiveness, determining whether the residual risk is acceptable, and adopting another treatment if the first was unacceptable. 5. Monitoring and review should occur in all phases of the risk management process to improve its quality and effectiveness. 6. Recording and reporting of the risk management process and its results should be facilitated to communicate and improve risk management activities, support decisions, and enhance communications with stakeholders.Risk IdentificationRisk identification finds risks that can contribute to or prevent achieving organizational objectives. For example, it considers risk sources, changes in context, threats and opportunities, emerging risk indicators, and consequences and their effects on objectives.Risk AnalysisRisk analysis examines the nature, characteristics, and level of risk. It considers such factors as likelihood of events and consequences, control effectiveness, and confidence level.Risk EvaluationRisk evaluation supports decision making by comparing the defined risk criteria with the outcome of risk analysis and determining whether any action is required.ISO 31000 - Responsibilities for Risk Management- The board is responsible for overseeing risk management and has overall responsibility for ensuring that risks are managed and the risk management system is effective. - Management is responsible for setting the organization's risk attitude, which is defined by ISO as an "organization's approach to assess and eventually pursue, retain, take, or turn away from risk." Management also identifies and manages risks. - The internal audit activity is responsible for providing assurance regarding the entire risk management system.ISO 31000 - Assurance ApproachesISO 31000 describes three approaches to providing assurance on the risk management process: (1) key principles, (2) process element, and (3) maturity model.Key Principles ApproachThe key principles approach evaluates whether the risk management principles are in practice.Process Element ApproachThe process element approach evaluates whether the risk management elements have been put into practice.Maturity Model ApproachThe maturity model approach is based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. The basic principle is that risk management must add value. Accordingly, this approach determines where the risk management process is on the maturity curve and evaluates whether it (1) is progressing as expected, (2) adds value, and (3) meets organizational needs.Capability Maturity Model (CMM)An example maturity curve (i.e., maturity model) is the capability maturity model (CMM). It consists of the following maturity levels presented in order of maturity: initial, repeatable, defined, managed, and optimizing. Level 1 - Initial: Few processes are defined. Level 2 - Repeatable: Basic processes are established. Level 3 - Defined: Standards are developed. Level 4 - Managed: Performance measures are defined. Level 5 - Optimizing: Continuous improvement is enabled.Capability Maturity Model Integration (CMMI)The Capability Maturity Model Integration (CMMI) Development V2.0 focuses on organizational performance at each maturity level. This model consists of the following maturity levels presented in order of maturity: incomplete, initial, managed, defined, quantitatively managed, and optimizing. Level 0 - Incomplete: Whether work can be completed is not known. Level 1 - Initial: Work can be completed, but not on time or within the budget. Level 2 - Managed: Projects are planned, implemented, managed, and monitored. Level 3 - Defined: Standards for projects are defined throughout the organization. Level 4 - Quantitatively managed: The organization quantifies performance improvement goals to meet stakeholder needs. Level 5 - Optimizing: The organization pursues continuous improvement, responds to change, and innovates.Performance Measurement SystemA critical aspect of the maturity model approach is that risk management performance and progress in executing the risk management plan should be linked with a performance measurement system, which typically consists of - Performance standards, - Criteria on how the standards can be satisfied, - A method of comparing actual performance with each standard, - A method of recording and reporting performance and improvements in performance, and - Periodic independent verification of management's assessment.Turnbull Risk Management FrameworkIn contrast with the ISO 31000 principles-based approach, the Turnbull risk management framework emphasis is on internal control, the assessment of its effectiveness, and risk analysis.