TRUE

The phrase ‘control environment’ is preferred by internal auditors.

ISO 31000 refers to the ‘risk management context’.

The COSO ERM cube refers to the ‘internal environment’.

ISO Guide 73 defines control as a measure that is modifying risk.

COSO Internal Control was originally published in 1992.

The primary purpose of internal control activities is to help the organization achieve its objectives.

The purpose of the control environment is to ensure consistent responses to risks that materialize.

Risk assurance is an important component of the overall risk management process.

Internal financial controls are just one part of a charity’s overall control framework.

The internal control system includes internal control activities and the structure and responsibilities that
relate to them.

Standardized approach: calculates the value for operational risk, using a broad financial indicator,
multiplied by operational loss experience.

Advanced approach: uses the internal loss data and a combination of qualitative and quantitative
methods to calculate the operational risk capital.

The US-based Risk and Insurance Managers Society (RIMS) has undertaken an evaluation of the causes of
the global financial crisis.

A good organizational structure supports the effective management of risk.

ISO Guide 83 suggests that the term ‘interested party’ is preferred, but stakeholder is an acceptable
alternative.

BPR can be a very time-consuming exercise when undertaken thoroughly.

Corporate governance models require the involvement of stakeholders and adequate stakeholder
dialogue.

The Basel II definition includes legal risk but excludes strategic and reputational risk. /

The Basel II definition identifies four types of risk categories: people, process, system, and external risks.

External risks include action by regulators, unsatisfactory performance by service providers and fraud,
both internal and external.

The purpose of our enterprise risk management (ERM) approach is to mitigate risks to the delivery of a
safe, reliable, and cost-effective service to our customers. /
The ERM framework provides a standardized approach to the identification, assessment, recording and
reporting of significant risks. /

Operational risks are owned and managed by operational units. /

Control risks will have a cost associated with controlling the risks, and this cost can be described as the
control acceptance. /

Accountability is vitally important if the risk-aware culture is to be successful. /

A risk-aware culture requires good communication of risk information from senior management. /

The normalized organization is successful in achieving competent or desirable behaviours, but these are
not yet automatic. /

RMIS have been used for some time to record details of insurance claims. /

Relationship skills also include listening skills. /

FALSE

internal

CoCo is an external control framework, but it is described in this chapter because it is an established
framework.

Internal

External audit is primarily concerned with risk assurance, and this will be the concern of the non-
executive audit committee in a large organization.

Include

Risk performance and certification reports exclude operational management reports as well as more
formal declarations and certified reports to stakeholders.

compulsory

Risk reporting by charities is not compulsory in most countries in the world.

should

The risk management manual shouldn’t describe the control environment or risk culture.

excludes strategic and reputational risk. /

The Basel II definition includes legal risk, strategic and reputational risk.

Process risks /

System risks include process failures and inadequate controls.

System risks /

Process risks include failure of applications systems to meet user requirements and the absence of built-
in control measures.

Credit risk /

Market risk is the risk that there will be a failure by a customer/client to repay the principal and/or
interest on a loan or other outstanding debt in a timely manner, or at all.

Market risk /

Credit risk is the risk that the value of investments may decline over a period.

Basel III /

Basel II requirements have been developed but may not be introduced until 2019.

Basic indicator approach: /

Advanced approach: calculates the value of operational risk capital using a single indicator for the overall
risk exposure.

Ericsson’s /

Ekurhuleni’s risk management is integrated into the operational processes of the business to ensure
accountability, effectiveness, efficiency, business continuity and compliance with corporate governance,
legal and other requirements.

Hazard risks /

Control risks will always have a negative outcome associated with the risk.

Control risks /

Hazard risks will have a cost associated with controlling the risks, and this cost can be described as the
control acceptance.

Naïve

A novice organization will automatically accept incompetent or undesirable behaviours.

Involvement /

The risk culture of the organization can be defined by leadership, influential, learning, accountability and
communication (LILAC).

Analytical skills range widely and require strategic and not logical thinking /

very wide range /

Corporate governance covers a small range of topics, and risk management is an integral part of the
successful corporate governance of every organization.

ISO Guide 73 /

ISO Guide 83 defines a stakeholder as a ‘person or group concerned with, affected by, or perceiving
themselves to be affected by an organization’.
IDENTIFICATION

Data security

It is essential that the security of customer, colleague and company confidential data is maintained.

Internal control

The elements include resources, systems, processes, culture, structure and tasks.

ISO Guide 73

defines control as a measure that is modifying risk.

Criteria of Control / CoCo

An internal control framework, but it is described in this chapter because it is an established framework.

People risk

Failure to recruit, develop and retain suitable talent.

Bank

The largest financial services institution listed on the national stock exchange and is among the 30 most
profitable financial services organizations in the world. /

Selflessness

Holders of public office should act solely in terms of the public interest and should not seek benefits for
themselves, their family or friends. /

Integrity

Holders of public office should not place themselves under any financial or other obligation to outside
individuals or organizations. /

Accountability

Holders of public office are accountable for their decisions and actions to the public and must submit
themselves to appropriate scrutiny.

Openness

Holders of public office should be as open as possible about all the decisions and actions that they take
and give reasons for their decisions.

Honesty

Holders of public office have a duty to declare any private interests relating to their public duties and to
take steps to resolve any conflicts.

Leadership
Holders of public office should promote and support these principles by leadership and example.

Shareholder information

Shareholder analysis by size and constituent Information on directors’ share dealings /

Market risk

The risk that the value of investments may decline over a period.

Risk maturity models /

Model that can be used to measure the current level of risk culture within the organization.

Risk Appetite /

This determines the value they should risk.

Risk Capacity /

The capability of the organization to take risk.

Corporate Governance /

The system by which organizations are directed and controlled.

Business process re-engineering (BPR) /

A technique to ensure that an organization has the most effective and efficient processes and operations.

Financial data /

Annual report and financial statements Archived financial information for the past three years.

Operational risk /

Type of risk that will disrupt normal everyday activities.

ACRONYMS
LILAC /

Leadership, Involvement, Learning, Accountability & Communication

ERM /

enterprise risk management

WAG

Welsh Assembly Government

CSFSRS

customers; staff; financiers; suppliers; regulators; society.

RIMS (4 points)

Risk and Insurance Managers Society

GRC (3 points)

Governance, Risk & Compliance

IIA (3 points)

Institute of Internal Auditors

FOIL

Fragmented, organized, influential and leading

ENUMERATION

Four Styles of Risk Management: (4 points)

1. Compliance management
2. Hazard management
3. Control management
4. Opportunity management

The awareness campaign could include all the LILAC components and may extend to: (5 points)

1. risk awareness training

2. awareness poster campaigns
3. site inspections
4. arrangements for reporting defects
5. leaflets and brochures

Enumerate the 4N’s Stages of Risk Maturity (4 points)

1. Naïve
2. Novice
3. Normalized
4. Natural

Corporate Governance’s Five Appropriate Committees: (5 points)

1. risk management committee

2. audit committee
3. disclosures committee
4. nominations committee
5. remuneration committee

Nolan principles of public life (7 points)

1. Selflessness
2. Integrity
3. Objectivity
4. Accountability
5. Openness
6. Honesty
7. Leadership

8 major groupings to evaluate the control environment that uses of Canada Post Corporation: (8 points)

1. Leadership
2. Planning
3. customer focus
4. people focus
5. process management
6. partnership
 7. business performance
8. continuous improvement

5 Areas in Evaluating the Effectiveness of the Board: (5 points)

1. membership and structure

2. purpose and intent
3. involvement and accountability
4. monitoring and review
5. performance and impact.