IIA: The possibility of an event occurring that will

have an impact on the achievement of objectives • Confirms a common purpose and facilitates
• Provides a starting point for risk management an enterprisewide and embedded approach
Risk Severity: The product of impact and likelihood Definitions of Benefits of
Risk • Enables a clear expression of the objective for risk Defining Risk
AS/NZS: The chance of something happening • May serve as part of the evidence
management to manage residual risk within risk appetite
that will have an impact on objectives Appetite base for a critical decision
• Can be readily communicated and shared
ISO 31000: The effect of uncertainty on objectives • Facilitates the deployment of resources toward
those areas where residual risk remains high
Positive Impact (Benefits) = Upside
Opportunity = positive risk I.A Assess Risk Management
Risk Capacity: The ability to accept risk
Processes in the Context of
Negative Impact = Downside Alignment with Strategic Risk Appetite: The preparedness to accept risk
Risk = Negative risk
Imperatives Risk Tolerance relates to risk appetite but tolerance represents
The main processes of risk management relate to: the application of risk appetite to specific objectives
Analysis, Risk response, Monitoring, & Reporting
While risk appetite is broad, risk tolerance is tactical and
operational
A process, effected by an entity’s board of directors,
management, and other personnel, applied in a strategy Risk I.A.3 Risk Capacity, Once appetit e is defined, then risk management’s role is to
setting and across the enterprise, designed to identify Management - establish internal controls and other measures necessary
Appetite, and Tolerance of
potential events that may affect the entit y, and manage risk Definition to ensure that residual risk falls within the risk appetite
to be within its risk appetit e, to provide reasonable
COSO Organization
assurance regarding the achievement of entity objectives. Risk appetite focuses the attention to areas in which residual ris k
remains above tolerable levels and may facilitate the allocation of
1. Aligning risk appetite and strategy additional resources to better control risk or exploit opportunities
DOMAIN I
2. Enhancing risk response decisions Residual Risk (ISO 31000): The risk remaining after risk treatment
Organizational Governance
3. Reducing operational surprises
Related to Risk Management 5. Risk-enabled
4. Identifying and managing Processes
(Highest)
multiple and cross-enterprise risks The overall attitude and
approach to dealing with 4. Risk-managed
5. seizing opportunities I.A.1 Objectives of Risk risks-either more or less
3. Risk-defined
6. Improving deployment of Capital Management Processes mature or risk aware
2. Risk-aware
Risk maturity: A measure
1. RM exists to serve the organization, not vice versa Requirements for of the level of risk culture 1. Risk-naïve
9. Improve Organizational
2. It needs to be enterprisewide Effective RM 1. Set Risk Appetite Effectiveness (Lowest)

3. It requires a coordinated and consistent framework 2. Identify Risks Cyclical Nature of 8. Increase Risk Maturit y
4. It is not designed to be a brake on ambition RM Processes
3. Analyze Risks 7. Review
5. It needs to be cyclical and iterative I.A.2 Levels of Risk
RM Process 4. Agree Risk Response 6. Monitor & Report
Objectives; to Organization’s Maturity
5. Implement Response Risk Culture
Contribute to the long-term survival of the organization
Maxim ize the value delivered to all stakeholders 1. Leadership and commitment
Be better placed to take advantage 6. Application of risk management to all activities
from the highest levels
Link growth, ris k, and return of opportunities as they arise
7. Encouragement and reward for appropriate risk-taking
2. Adherence to ethical principles
Safeguard the assets and reputation Help an organiz ation become more risk mature as well as sanctions for reckless or negligent approaches
and concern for all stakeholders
by considering its current and future risks
8. Ready access to support and resources for
Facilitate greater operational 3. Recognition of the need for
effectiveness and efficiency Improve the understanding an organization has of itself and Features of the development of risk management skills
effective risk management
its activities to enable better decision-making, operational Successful Risk
Increase the lik elihood of achieving objectives management, and deployment of capital and resources 4. Ready access to reliable information 9. Acceptance of multiple perspectives
Culture (IRM) to challenge the approaches adopted
Comply with legal and regulatory requirements Reduce uncertainty and volatility in those areas of 5. Encouragement to share
10. Alignment of risk culture
Improve organizational learning and resilience organizational activity that do not benefit from being risk-laden information when things go wrong
with the organizational culture

Summary of CRMA Book - 1st Edition Page 1 of 14 samehacc1@gmail.com

 The operating style and philosophy of management
A tool for management when trying to bring about change are often characterized by the phrase tone at the top

In the 7S framework, the seven dimensions I.B.3 Management’s Autocratic style: Little or no consultation,
(interact & connected mesh) are described as: Philosophy and while power and control are held centrally
Hard elements: that are readily grasped and I.B Assess the Processes Related to the Operating Style
McKinsey 7S
manipulated by management (3 elements: Strategy Elements of the Internal Environment in Characterizing Democratic style: More inclusive, taking account of
Model/ the views and inputs of others and including them in
2. Structure, 3. Systems), and
Framework
Which Organizations Seek to Manage the Style and
Soft elements: that are much less tangible and collective responsibility.
Risks and Achieve Objectives Philosophy of
more difficult to change (4 elements: 1. Style, 2. * Highly decentraliz ed style with plenty of consultation.
Management
Shared Value, 3. Staff, 4. Skills) Laissez-faire: A “hands-off” style with little or
no intervention. (Power is highly decentralized).
Root Cause Analysis: helps prevent additional rework and This style works when routines are very settled
proactively addresses future recurrences of the issue and staff members are highly experienced.
McGregor’s Theory X,
Organizations in many jurisdictions are required to comply Theory Y Model for
Analyze the Style of management
with legislation designed to promote ethical conduct Motivation
It is critical that organizations are clear about the importance of an Blake and Mouton’s Managerial Grid
authentic attempt to establish and maintain an ethical environment Theory X depends almost Concern for Concern for
I.B.1 Integrity, Ethical exclusively on hard controls Style Characteristics
People Tasks
Business ethics: A set of moral principles applied to organizational activity Values, and Other Soft
1. Team High High Participative & Proactive Leadership Style
Controls Theory Y makes much
Business ethics are relevant both to the conduct of individuals and Performance is the Primary focus
greater use of soft controls 2. Produce or Perish Low High
to the conduct of the organization as a whole Management tends to be formal & authoritative
3. Country Club High Low Democratic & inclusive
Employment practices 4. Impoverished Low Low Very laissez-faire "hands off" approach
Confidentiality Codes of Conduct or 5. Middle of the Road Medium Medium Balanced view of tasks & people

Conflicts of interest Ethical Behavior should DOMAIN I Types of Reward

1. Financial rewards
cover: 2. Nonfinancial rewards
Relationships with suppliers Organizational Governance from working 3. Psychological and social rewards
Environmental issues
Values: Simple statements of
Related to Risk Management
Political involvement what an organization stands for The Three Lines Of Defense
Taken as a whole, ethical values and codes of ethics or professional conduct
alone will not guarantee that indiv iduals and organiz ations behave with integrity The first line (Operational Management) To own and manage risks
The second line (RM & Compliance) To provide risk oversight
COSO’s Internal I.B.2 Role, Authority, The third line (Internal Auditors) To provide independent assurance
Support for them at the highest Control – Integrated Responsibility, etc., for
levels of the organization. Supplement the Framework Risk Management Primary Stakeholders are senior management and the governing body
(the board) to ensure the three lines model is operating effectively
Clear and consistent communication values and codes
relating to the values and codes. with Hard Controls – Activities: Management The primary responsibility for
Reviews, Inspections, Policies,
Integration of ethics into strategic identifying risks and managing them
Reconciliations, Structure, Limits of authority,
planning and operational delivery. User IDs and passwords, Physical counts Board Of Directors
Staff training and development Is a legal requirement for any corporate enterprise. However, the justification
linked to ethical matters. Important Roles of Codes of Soft Controls – People:
for a board of directors in a modern quoted company owes more to
Openness, Shared values, Clarity, Commitment
Ethical Behavior and considerations of risk than the need to comply with regulation or statute
Involv ement of staff in the development to competence, High expectations,
and implementation of ethical frameworks. Organizational Values Communications Has overall responsibility for ensuring that risks are managed.
Will delegate the operation of the RM framework to the management team
1. They act as a way of describing what the organization regards as ethical behavior Values - Personal Conviction Should be independent, non-executive directors
2. They can be a way of demonstrating ethical leadership from the top down Vision - Inspire others to adopt similar values Choices of chief executive
The 4-V Model of
3. Codes and values should help resolve ethical dilemmas Voice - Communicate the vision and share the values Defining nature & extent of the ris ks that the organization is willing to take
Ethical Leadership
(2013) Virtue - Virtuous way of thinking and behaving

Summary of CRMA Book - 1st Edition Page 2 of 14 samehacc1@gmail.com


Size (Employees, Capit al, Turnover..)
Management & Adminis tration
Horizontal Differentiation
Vertical Differentiation
Integration among segments
Centralization/Decentralization
(decision & Power)
Standardiz ation of Procedures
Formalization of Documentation
Specialization of Individuals and Teams
One of the options for introducing greater
flexibility in any given structure
The passing of authority but not the
responsibility for certain tasks to a subordinate
Risks with Delegation:
* Employees may feel that they are neglected.
* Tasks passed to unskilled people.
* Blurred lines of responsibility
Ownership
Organizational Control
Governance Arrangements
Available Sources of Finance
Liability for Losses
Reporting Requirements
Taxation and Other
Financial Obligations
Other Forms of
Regulation & Oversight
Such agreements may specify the:
Clarifying the nature of the relationship 1. Period of the relationship
through a formal agreement or 2. Objectives to be Achieved
memorandum of understanding (MOU) is 3. Roles and responsibilities of each party
Structures should be designed to one way of confirming expectations at the 4. How financial commitments and rewards are to be shared
Dimensions of reduce risk and exploit opportunities. outset and avoiding misunderstanding later
5. Options for terminating the agreement
Organizational In this sense, they are a kind of risk
Structures (Hatch response, but they also introduce The potential for risk in third-party relationships is signif icant,
2006) their own set of risks stemming from failures by the third party or of the
relationship itself, such as: Operational, Reputational,
Financial, Compliance, Legal, and Strategic Risks
I.B.4 Legal/ Measures to mitigate these risks:
Organizational * P&P for procurement and tendering.
Structure * Due diligence
I.B.7 Management of Third-party * Detailed agreements with stated objectives
Business Relationships * schedule of regular communications and reports
* Oversight to provide an independent and objective view
* Penalty clauses, indemnities, and insurance
Capabilities: Activ ities an organization is
Delegation
equipped to undertake due to its resources.
I.B.6 Capabilities, in Terms of From individuals they include skills, knowledge,
People and Other Resources experience, networks, and personal qualities.
From the organization they include resources,
processes, networks, reputation, and Goodwill
The core capabilities enable an organization to deliver its products and
DOMAIN I servic es to customers at a price they are prepared to pay, gaining
Organizational Governance access to key markets and making it hard for others to im itate
Differences in
Legal Forms of Related to Risk Management
Have a direct bearing on adding value, such as:
Organizations Porter’s Value Primary Inbound logistics, Operations, Outbound logistics,
Chain Activities Marketing and sales, Services to customers.
Additional things the organization needs to do to facilitate the
To balance the primary Activit ies, such as:
Support
power, Chair of BOD I.B.5 Documentation of Administration, Human resources, Technology, Procurement.
Activities
is Not also the CEO Governance-related Decision-
making

Serves different Documentation The Decision- Effective Decision-

purposes There is strong linkage among governance, making Process making Techniques
decision-making, and documented information
Provides information that can support an activity’s Documentation is necessary to foster transparency 1. Identify the problem or opportunity
1. Five Whys 7. Systems Diagrams
decision-making, planning, analysis, and data input and support effective decision-making. 2. Determine the intended goal or outcome
2. Chunking 8. 80-20 Rule
Provides a historical record that can be used for reference Includes: Minutes of board meetings and its subcommittees, Roles & 3. Identify the relevant factors
3. Drill-down 9. Force Field Analysis
Contributes to openness and transparency responsibilities, Policies & procedures, Financial statements, Internal (the decision criteria)
audit reports, Management accounts, Other kinds of performance 4. Cause and Effect 10. Paired Comparis on
Provides an audit trail for regulators and investigators 4. Collect information Analysis
monitoring, Compliance records, and External auditors’ reports 5. Decision Trees
Defines authorities & responsibilities 5. Analyze available options 11. Grid Analysis
Information Should be: 6. Cost Benefit Analysis
to enable accountability Relevant, Timely. Accurate, Usable, and Detailed. 6. Make and implement the decision 12. Thinking Hats
7. Review outcomes

Summary of CRMA Book - 1st Edition Page 3 of 14 samehacc1@gmail.com

 A stakeholder is defined as anyone
who has a stake or an interest in
some activity, project, or enterprise
Sometimes interests can be in conflict, such as:
* Gain for party may be cut in income to other
* Managers seek short-term gain, while owners
desire long-term returns
Organizations are challenged to
address a series of overlapping
interests by various stakeholders
Risk Management processes should be
designed to reflect a balanced response to
the needs and interests of stakeholders.
Stakeholders may be internal or external.
Some refer to connected stakeholders
It is important to understand the impact risk
management processes have on internal stakeholders
Policy: Description of the approach or
attitude adopted by an entity or activity.
Procedure: Steps required to undertake
an activity in accordance wit h policy.
Risk management processes may
also be guided by policy documents
that include a description of the
objectives of risk management and
an account of how it is to be
effected within the organization
Because internal policies are part of
the control environment, it is important
to review the risk management
processes for relevance, timeliness,
and effectiveness
The key external stakeholders include:
Non-executive directors. (Connected/Internal)
Customers.
Suppliers.
Investors.
Government and regulators.
Pressure groups.
The local community.
The public at large.
Summary of CRMA Book - 1st Edition
I.C Assess the Processes Related to the Elements of
the External Environment in Which Organizations
Seek to Manage Risks and Achieve Objectives
I.B.8 Needs and The external environment is the principal
Expectations of Key source of opportunities and threats
Internal Stakeholders
Risk management processes need to be
responsive to changes that could precipit ate new
risks or fluctuations in the severit y of existing ones
The external environment influences the organization internally,
while the organization impacts the external environment
I.C.1 Key External Factors
(Drivers and Trends) That May One way of understanding the external environment is to see it as a
mesh of overlapping influences engaging with and affecting each other
Impact the Objectives of the
Organization Risk management processes need to be alert to the
DOMAIN I complex and changeable external environment
Organizational Governance
When considering the external environment,
Related to Risk Management it is increasingly important to think globally
I.B.9 Internal Using the acronym PESTEL to represent influences that
Policies are: Political, Environmental, Social, Technologic al,
Approaches to Economic, Legal.
Analyze the
External
Porter’s Five Forces model to determine the degree of rivalry that
Environment
exists within segments of a given market or the market as a whole:
1. New Supplier, 2. Power of Customers, 3. Power of Suppliers, 4.
Substitute Products, 5. Degree of Rivalry
I.C.2 Needs and Expectations of Key
External Stakeholders (e.g.,
Involved, Interested, Influenced)
Promoters
Supporters
the degree to which stakeholders are engaged with a
particular issue or the organization as a whole Categories of
Approaches to Stakeholders:
Analyze the Latents
A form considers two dimensions:
Stakeholders 1. Importance: How much importance they attach to a
particular issue Apathetics
2. Influence: How much power they have
Page 4 of 14 samehacc1@gmail.com
 Organizational objectives support and
align with the organization’s mission Its purpose was to provide organizations with a
Signif icant risks are identified and assessed 1) GAIT for Business and top-down approach to identifying the IT general
Features for RM Processes controls that need to be tested so that assurance
Risk responses are selected that (Standard 2120) IT Ris k
on the management of IT risks can be provided
align risks with risk appetite.
Emphasis on how those risks impact financial reporting
Relevant risk information is captured and
communic ated in a timely manner Based on four key principles:
(A) Introduction to 1. The failure of technology is a risk that only needs to be assessed,
Domain II managed, and audited if it represents a risk to the business.
2. Key controls should be identified as the result of a top-down
1. Set Objectives 8. Review assessment of business risks, ris k tolerance, and the controls
7. Reporting (including automated controls and ITGCs [IT general controls])
2. Identify Risks
Cyclical required to manage or mitigate business risk.
3. Analyze & Processes of 6. Monitor Risk Mitigation 3. Business risks are mitigated by a combination of manual and
Evaluate Risks RM Plans & Emerging Risks automated key controls, and key automated controls must be
assessed to manage or mitigate business risks.
4. Determine 5. Develop & Implement 4. ITGCs may be relied upon to provide assurance of the continued
Risk Response Risk Mitigation Plans DOMAIN II : Principles of Risk and proper operation of automated key controls .
Management (RM) Processes
General: Systematic comparison of actual activity Provide a more extensiv e focus on ris k
with a set of standards. 2) COSO’s Enterprise Risk
A key objective of the ERM framework is to help managers
Management (ERM)
COSO: is a collaborative process among a group of of businesses and other entities better deal with the wide
entities that focuses on specific events or processes, (A) Definit ion of range of risks that threaten organizational objectives
compares measures and results using common metrics, Benchmarking
and identifies improvement opportunit ies This framework is designed to accommodate
most viewpoints and to provide a starting point
Qualitative Basis: This requires an appropriate for assessment and enhancement of ERM
I.A Benchmark Risk
evidence base to support the judgment, although it
(B) How To Management Processes
may depend ultimately on a subjective opinion
Do It? Using Authoritative Guidance 3) ISO 31000:2009
Quantitative Metrics: make it easier to objectively assess
whether the actual performance matches the standard
Quantitativ e assessments are more complex than qualitative * Is applicable to organizations, regardless of their size or sector
assessments but typically yield more precise measures. * Its main role is to serve as an authoritativ e international benchmark.
* Although it can apply to individual aspects, it is geared toward
(C) Even though a set of standards is right for some organizations, enterprisewide risk management
it might not always be right for all, especially in totality (F) RM Standards and
(D) A balanced approach is required, along with a healthy degree of skepticism Frameworks
and pragmatism while aspiring to the highest quality within organizational capability
4) The National Institute of Standards
and Technology (NIST)
(E) Internal Control
Frameworks When considering whether to adopt a set of
Was designed to be used by organizations of any type
standards formally or simply take valuable NIST 800-37 is an example of a ris k management framework
and at any level of activity - from discrete operations to
parts from different sets, each organiz ation for a specific sector (U.S. Department of Defense)
an enterprisewide view -comprises seven key steps:
must make its own decision based on its own Principal Steps are:
COSO’s Internal Control – Integrated Framework. 1. Establish the context.
circumstances and organizational cult ure 1. Categorizing information and information systems.
2. Identify risks.
Criteria of Control Framework (CoCo). 3. Analyze risks. 2. Selecting securit y controls.
4. Evaluate risks. 3. Implementing security controls.
UK Corporate Governance Code. 4. Assessing security-control effectiveness.
5) AS/NZS 4360:2004 Risk 5. Treat risks.
ISO 9000. Management Standard 6. Monitor and review risk management processes. 5. Authoriz ing the information system.
7. Communicate and consult with key stakeholders. 6. Monitoring security controls and information system security
on an ongoing basis.

Summary of CRMA Book - 1st Edition Page 5 of 14 samehacc1@gmail.com

 Inherent Risk (A) Risk Response: Measures taken to address a risk Other criteria (e.g.,
(A) Natural Risk (B) The psychological element is Items in II.B.2 & the following volatility, velocity,
Residual Risk II.B.3.vii Risk vulnerability)
important when considering risk appetite A unique risk ID number
Psychology
Cross-references
Pure risk = Destructive or Negative = Downside risk (C) A group of managers may agree on the Risk type to plans and
(B) Benefits defined appetite of the organization, but each
Speculative Risk = Opportunity = Upside Risk Date identified associated risks
individual may vary when it comes to being either
a risk taker or a risk avoider Cost (if the risk materializes) Target date (for
Well-known risks: Based implementation
on strong knowledge (D) The role of risk management is to try to lead Risk appetite of the treatment)
organizations toward an understanding of risk and
Hypothetical risks: Based on (C) How Well They Are II.B.3.i Risk objective appraisal while recognizing both the Closure date
incomplete or uncertain knowledge Understood Classification, inevitability and value of subjective impressions
based on:
Unknown risks: Based on II.B.3.vi Risk Registers include:
an absence of knowledge

Foreseeable Risks II.B.3.v Risk Mapping and Prioritization

(D) How to be II.B.3 Risk Analysis and Evaluation, Including
Unforeseeable Risks expected Correlation, Interdependencies, and Prioritization (A) Risk Map or Heat Map: Graphical depiction of
risks, usually on two axes of impact and likelihood.
Theoretical Risks: Little impact
(E) Importance of the (B) To design and implement consistent enterprisewide
Significant Risks: The Risk strategies that deliver strategic objectives, it is
ability to frustrate strategy necessary to have an aggregated profile of risk
(C) The organization needs to be able to communicate its risk
(F) Nicholson & II.B.3.iii Risk
profile to key stakeholders, especially owners and investors
Turner, 2010 Criteria
Risk (D) Risk prioritization: Ranking of risks by level or severity

Business Risks: stem Non-Business Risks: Risks not II.B.3.iv Risk Level or
from the nature of the arising directly from the nature of (A) Criteria grouped Severity
business itself the business under 2 headings

(A) Risk Assessment includes:

Strategy Governance risk criteria: set the framework
Financial Event Operational in which risk management takes place and
Enterprise covers the four key factors (risk capacity, risk Assessing the likelihood
Disaster Internal attitude, risk appetite, and risk tolerance) Assessing the impact
Product
Assessment risk criteria: are those that are Assessing other dimensions (velocity,
Economic Regulatory External needed for analysis and evaluation volatility, and interdependencies)
Technology Reputation Measuring the severity or level of the inherent risk
(B) Criteria may Likelihood Comparing the severity of the
Property Systemic include: Impact risk with the related risk appetite

(A) It is essential to understand the true nature of the risks Vulnerability Determining an appropriate response when
the residual risk is more than risk appetite
(B) There are several intermediate steps between Velocity (speed of reaction & recovery)
II.B.3.ii Risk
the trigger event and the risk itself Analysis Volatility
(B) To measure the true value of the impact, it is necessary
(C) A series of causes and effects can result in significant Interdependency: The causal relationship to isolate the damage or positive opportunity the risk event
consequences when combined, and such events can impact between two or among more risks. would precipitate from other unrelated occurrences
the earnings of the organization dramatically Correlation: The interdependency of two risks

Summary of CRMA Book - 1st Edition Page 6 of 14 samehacc1@gmail.com

 (A) Ris k management and (A) Identifying ris ks is a matter of removing
(B) RM should follow 12 Principles (ISO 31000) organizational objectives (H) Shaping the Risk
surprises and losses
share a symbiotic relationship Universe (COSO)
(B) It is often the unexpected simultaneous occurrence
1. Create value, as the gains are greater than
of risks that takes organizations by surprise
the resources required for ris k responses.
1. Governance 5. Roles &
2. Be integrated wit hin routine organiz ational processes. II.B Evaluate Risk (C) It should be approached in a methodical way to
Responsiblities
ensure that all value-adding activities within the 2. Globalization
3. Be integrated into ordinary decision-making processes. Management organization have been evaluated and all the ris ks 6. Technology
3. Business Models
4. Provide a focus for indentifying and understanding uncertainty. Processes flowing from these activities have been defined.
7. Fraud
(AIRMIC, Alarm, IRM, 2010) 4. Regulatory Requirements
5. Be well structured and systematic.
(D) Is the process of finding, recognizing, and
6. Be founded on accurate and reliable information. describing risks (in ISO 31000)
7. Be flexible to accommodate the features of the organization. (E) It is important to focus on risks II.B.2 Identifying Risks
8. Be reflective of the human element of activity. that are relevant and significant

9. Be open and transparent. (F) The emphasis should be on the risks (I) We Can Identify Risks through:
that require the board’s attention
10. Be responsive to change through close
monitoring of the organization’s environment. (G) This does not mean that lesser risks Checklists
can be ignored; however, there should
11. Be focused on continuous improvement. Benchmarking
be an appropriate allocation of effort
12. Be subject to cyclical review. Scenario planning
Vulnerability assessments
1. Internal Environment 5. Risk Response
Risk brainstorming
2. Objective Setting 6. Control Activities
(C) COSO’s ERM
DOMAIN II : Principles of Risk (thought-shower) sessions
7. Information &
3. Event Identification Components
Communication
Management (RM) Processes Control ris k self-
(K) Information should be included assessment (CRSA)
4. Risk Assessment in Ris k Register
8. Monitoring Questionnaires or surveys
Risk identification workshops
A description of the risk event
1. Identify the business objectives for
which the controls are to be assessed II.B.1 Setting Objectives at All Levels to The risk owner
(D) The GAIT-R
Steps Achieve Strategic Initiatives The inherent risk assessment
2. Identify the key controls to provide (Likelihood & Impact) (J) Sobel and Reding (2012)
reasonable assurance that the
The responses to the ris k for Risk Identif ication
business objectives will be achieved
3. Identify the critical IT functionality (A) The vision, mission, and objectives should consistently The residual risk assessment
relied upon for key business controls express what the organization is trying to achieve (Likelihood & Impact) First Step: Looking for the
4. Identif y the significant applications (F) Sobel & Reding, and COSO’s A conclusion events that may precipitate risks
(B) SMART objectives help ensure clarity and
where ITGCs need to be tested effective performance management, as follows: 4 Types of Objectives Second Step: The development
Any actions to be taken
5. Identify ITGC process risks S: Specific, Stated of the risk universe
and related control objectives M: Measurable Monitoring controls to be applied
1. Strategic objectives: Longer
6. Identify the ITGCs to ensure A: Achievable
term (3 or more years)
they meet the control objectives R: Resourced, Realistic, Relevant
T: Time-limited 2. Operational objectives:
7. Perform a reasonable holistic
Shorter term (within 12 months)
review of all key controls identified (C) The overriding aim of organizations tends to
8. Determine the scope of the review be survival not usually at any cost. 3. Reporting objectives: communications 1. Review & update 5. Manage Initiatives
and build an appropriate design and to internal & external stakeholders (G) The 8 Model for 6. Set Objectives
(D) The vision is a statement of where the 2. Communicate
effectiveness-testing program Strategy Execution
organization wants to be or a state of affairs it 4. Compliance objectives: efforts to satisfy 3. Cascade 7. Monitor & coach
wishes to bring about in the future the formal requirements of legislation
4. Compare & leam 8. Evaluate performance
(E) A mission is a statement of the primary
purpose of the organization

Summary of CRMA Book - 1st Edition Page 7 of 14 samehacc1@gmail.com


(A) The ris k response refers to any actions taken to modify the ris k
(B) Determining the appropriate risk response is linked very closely
to the overall risk attitude of the organization and its risk appetite
(C) Appetite may be expressed for classes of individual risks
(D) Attitude may apply to the philosophy of
management and organizational culture
A risk-averse attitude prefers options that
offer the same or better return for a lower risk
A risk-neutral attitude prefers the highest
return while being indifferent to risk
A risk-seeking attitude actively
seeks high-risk strategies
(F) In deciding how much risk an organization should
take, remember that value is a function of risk and return
(G) Sweet spot: The position of optimal risk-taking
that maxim izes benefits to the enterprise.
(H) Blended response: An organization will probably
use a combination of responses to address each ris k
(I) Risk Response includes:
Tolerate/Accept Terminate/Avoid
Transfer/Share Exploit
Treat/Mitigate/Reduce
(J) Factors to take into
consideration include:
Whether a single treatment
Risk attitude or or more required
Risk appetite The cost of treating the risk
compared with the benefits
Risk capacity
Risk tolerance
Risk profile
Whether the activity (giving rise to the risk)
is core to the purpose of the organization
The level of confidence that the treatments
will operate with efficiency and effectiveness
(K) Sobel and Reding’s
Capability Criteria to gauge how much
risk we can take
Summary of CRMA Book - 1st Edition
II.B.4 Risk Response
Including Cost/Benefit
Analysis
(L) Risk Treatment under
4 Types of Controls
(E) Risk
Preventative controls are
Attitude
designed to reduce likelihood
Detective controls are
designed to reduce likelihood
Directive controls are designed
to reduce likelihood & impact
Corrective controls are
designed to reduce impact
(M) IT Controls
IT general controls: Controls designed
to ensure the integrity of IT outputs.
IT application controls: Automated controls
designed to ensure correct IT processing.
(N) Results of a 2 005 Deloitte
Study o f UK Compan ies
Readiness relates to how well the organiz ation
can mount its reaction risks as they aris
Agility relates to the ability to vary the response
Resilience is a measure to mount the
response in the context of a particular risk
Controllability indicates how much influence
the organization may exert over the risk
Monitorability is a measure to track
and receive accurate data on the risk
Maturity is a reflection of the sum
total of these capability criteria
Degree of confidence reflects how well
the risk is understood, varying among
well-known, hypothetical, and unknown
II.B.6 Monitoring Risk
Mitigation Plans and
Emerging Risks (A) Monitoring is:
(B) Monitoring risk
mitigation plans
Steps to Address
Emerging Risks
(C) Emerging Risks
A new risk that is not fully
understood and has not
PwC’s Study
yet fully revealed itself.
DOMAIN II : Principles of Risk
Management (RM) Processes
Key Conclusions
II.B.5 Developing and Implementing
Risk Mitigation Plans
Value
Is (and will alw ays be) at risk from unexpected,
unavoidable internal and external events.
Value-creating companies focus on long-term risks
and develop far-reaching strategies to address them
Value-destroying companies rely on short-term tactics
Risk avoidance is not effective in protecting
companies from external shocks. The best approach
is through value-creation, which makes business less
risky and more value-enhancing.
Class of Events
Exogenous events are the external “one-off shocks” and
other situations that can be anticipated but not controlled
Endogenous events are internal occurrences caused by
management practices and corporate governance
The report concludes that the most effective strategy for the
management of long-term risks is proactive creation of value,
rather than reactive responses to events as they occur
Page 8 of 14
ISO 31000: Continual checking, supervising, and
critically observing or determining the status
COSO: Ongoing monitoring of activities,
separate evaluations, or a combination of the two
Sobel and Reding: The assessment of the organization’s
context, ERM system, and business performance over time
Helps facilitate assurance that the agreed-upon risk treatments have
been established, are operational, and are having the desired effect
May lead to an updating of the risk register
Should include considering the cost-effectiveness of the treatments in place
1. Identify emerging risks relevant to the organization
2. Assess the risk’s significance and interconnectedness
with other risks and implications to the business
3. Determine risk response strategies,
considering collaboration wit h external parties
4. Routinely monitor emerging risks
through the effective use of indicators
Applying ERM principles to emerging risks represents an opportunity to
fully capture the rewards of effective risk management as manifested in
the organization’s ability to detect and respond to largescale risks
Using of innovativ e approaches such as scenario analysis
and event simulations organizations will be better able to
identify and prioritize emerging risks to protect value and
further the organization’s strategy and objectives
(A) Risk mitigation planning is the process of
developing options and actions to enhance
opportunit ies and reduce threats to project objectives
(B) The plan records what is required to
implement the intended response or
make amendments to existing responses
(C) Responses to risks of high criticality (i.e.,
those whose residual level is beyond the risk
appetite) need to be addressed first
(D) Embedded risk management seeks to administer
controls within routine activity as much as possible,
rather than by creating additional processes.
1. Understanding the nature of the risk
2. Reviewing interdependent and correlated risks so
(E) Steps that control may be achieved by the same treatment
To Develop 3. Identifying the ris k owner
A Risk
Mitigation 4. Developing control objectives
Plan
5. Breaking down the action
required in manageable steps
samehacc1@gmail.com
 To provide assurance to management and the board
that risk management processes are effective
Support management in its understanding
of risk and its preparedness for risk events (A) The Purpose of
Reporting
Respond to changes in the risk profile
Changes in the risk register or new ris ks
Weaknesses identified in the internal control system
(B) RM Reporting
Risk incidents (Risks that have materialized as events) Includes
Updates on actions taken to treat risks
(C) Reporting should consider the information needs of both
internal and external stakeholders
(D) Communication related to risk management processes
needs to be evidence-based, timely, relevant, and in a format
that facilitates assim ilation and understanding
(E) All organizations run the danger of information overload. Therefore,
focusing on the salient points serves to enhance communication.
(F) It is important to avoid being seduced by what the technology can do,
rather than paying attention to what it reveals about organizational risk
(G) The second line (in the 3 lines of defense “RM function”) is responsible
for reporting adequate risk-related information throughout the organization
Is the process of reporting risk incidents up the line
The purpose of escalation is: (H) Risk
* Partly to keep managers informed of risk incidents, &
Escalation
* To precipitate implementation of a contingency plan
The greater the threat (or opportunity), the higher
up the chain the reporting should go; especially if it
is apparent that the internal controls are ineffective
There should be a designated point at which
escalation is required, starting with risk capture
(the ability to recognize and record that a risk
event has occurred)
(I) Contingency Plan
Is a provis ional plan for addressing the impact of a risk incident
Contingency planning should be considered at the point of
determining the appropriate risk response
An organization can usually tolerate a higher level of risk if it
knows that there is a fallback plan that will recover the situation
after an incident
Given the importance of survival, significant resources are
often allocated to such plans
In addition to reporting risk incidents, there is value in
considering near misses
Summary of CRMA Book - 1st Edition
II.B.7 Reporting Risk Management
Processes and Risks,
II.B.8 Periodic Review of Risk
Management Processes to Aid in
Continuous Improvement
DOMAIN II : Principles of Risk
Management (RM) Processes
(E) Seven Areas in Leitch in which RM
should aim to make progress
1. A greater focus on and investment in internal controls, and a
move away from remediation and compliance measures
2. Continued movement toward convergence
of internal control and risk management
3. The development and adoption of better methods to
quantify risk and move performance metrics away from
the traditional high, medium, and low classifications
4. Less focus on the risk register as an end in
itself, and more emphasis on improving controls,
embedding risk awareness into projects
5. Greater understanding and application of
psychological factors that Impact RM Processes
6. Continued movement toward convergence of risk and
performance management to remove the reliance on two
separate systems and overlapping sets of records
7. Greater use of a more technical approach to producing risk
registers with addit ional reliance on mathematical models
Page 9 of 14
(A) The purpose of periodic reviews is to identify issues that may affect any of the
elements of the adopted risk management approach, examine them carefully, and
determine whether changes are required or improvements are possible
(B) There is always the potential that parts of any
system may become weakened or fail altogether
(C) Three Aims of RM Processes (Sobel & Reding)
1. To identify and repair weaknesses and faults
in risk management processes.
To achieve this aim, it is necessary to review the
system of risk management processes themselves.
2. To identify changes in the organization’s
objectives and environments, and ensure risk
management processes remain in alignment.
To achieve this aim, it is necessary to review the
organizational context.
3. To determine that the organization is achieving its goals.
To achieve this aim, it is necessary to review business
performance as defined for the organization.
(D) Treasury Board Secretariat (TBS) Guidance
Components of a Strategy for Periodic Review of RM processes
Clear roles and responsibilities for monitoring and review to all parties
Effective integration with other oversight and assurance functions
Careful consideration of the timing of reviews to facilitate
participation of all key players, and avoiding clashes
Appropriate communication mechanisms to
promulgate lessons learned to all key stakeholders
Well-documented records of expected outcomes from RM
Other performance indicators and measures that are
subject to periodic review
Outlines the focus of the review to
Confirm that RM is adding value to decision-making
Validate that an organization’s RM approach and
process are appropriate for its RM needs and remains
responsive to its external and internal context
Ensure ongoing relevance, effectiveness, and
efficiency of the RM approach and process
Check for new approaches, tools, and ideas
Assess compliance with relevant laws, regulations, and policies
Assess the allocation of resources in risk
responses as part of a cost-benefit analysis
samehacc1@gmail.com

(A) Cornerstones of Governance
1. Internal Auditing 3. Executive Management
2. External Auditing 4. Board of Directors
(B) Audit universe: The summation of all possible internal audits
(C) As enterprisewide risk management becomes established in organizations,
the internal audit activity can progress from being risk-based to being ERM-based
(D) If the risk management framework does not exist, the chief audit executive uses his/her
own judgment of ris ks after consideration of input from senior management and the board
(E) It is important for audit planning to be ERM-based rather than simply risk-based
because with an effective, integrated, enterprisewide approach to risk management,
internal audit no longer needs to identify the risk universe (Sobel and Reding 2012).
Management takes on that responsibilit y, and the internal auditors adopt it as the basis for
describing the internal audit universe
(F) To maintain its independence and objectivity, the internal audit activity must never
be wholly dependent on ERM, and the internal auditors must exercise their own
judgment about internal audit priorities
(G) IIA Standard 2050 requires the CAE to coordinate assurance through assurance
mapping and other techniques
Are Metrics that may (B) Lag indicators are those that reveal what is happening after the fact
be used as lead (A) Key Risk
(A measure of something that has already impacted the organization)
indicators of exposure Indicators (KRI)
Introduction to (A lead indicator of (C) Lead indicators provide a sign of what will occur in the short- to
risk-triggering events mid-term (A measure of something that will impact the organization)
Domain III
or conditions) (D) Key Risks are those with the highest severity
rating and the potential for the highest impact
Kinds of KRI (Mainelli’s model)
1. Challenge indicator: reveals the root cause of a (E) How does internal audit evaluate the
risk event and should encourage an organization to take management of key risks?
appropriate action to prepare itself for the impact
“Has the trigger event occurred?” In planning an engagement, the internal audit or considers
the significant risks of the activity and the means by which
2. Action indicator: provides feedback on actions taken
management mitigates the risks to an acceptable level
to show that they have been implemented correctly
“ Have the responsive actions been taken?” The internal audit activity needs to identify areas of high
3. Health indicator: "first indicator of impact" showing inherent risk, high residual risks, and the key control
whether the action has restored the organization to normal systems upon which the organization is most reliant
health or whether further action is required
“ Has the risk event begun to impact on performance?” As part of the planning process, the internal auditors should
identify how they will provide assurance on the effectiv eness of
4. Risk incident indicator: records the final impact controls used to mitigate key risks and offer advisory services to
“What is the ultimate impact on value?” help rectif y or improve existing systems of control

(H) Assurance mapping: The act of coordinating all assurance activities to As a result of resourcing constraints and other priorities, the
identify and eliminate gaps and overlaps. III.A Review the internal auditors may not be able to review all key risks.
Management of Key Risks This can be addressed partly by coordinating assurance for
those risks from other providers, which will, of course, influence
(I) Internal Audit Roles in ERM the audit-planning process
DOMAIN III Assurance Role
of the Internal Auditor Internal auditors are responsible for evaluating the management
Legitimate Roles of key risks and verifying that necessary stages are in place
Roles Should Not
Core Roles with Safeguards
Undertake
(Temporary basis) Includes:
Setting the risk appetite 1. Key risks are identified
Providing assurance on the Facilitating the identification 2. Emerging key ris ks are identified and monitored closely
risk management process and evaluation of risks Imposing risk 3. Key risks are analyzed, evaluated, and duly prioritized
management processes (F) Management 4. Responses for key ris ks are agreed, implemented and monitored for effectiveness
Giving assurance that risks Coaching management
are correctly evaluated of Key Ris ks:
in responding to risks Managing assurance on risks When reviewing the management of key risks, the internal auditors specify the scope and
Evaluating risk Coordinating ERM activities Making decisions on risk responses objectives of the audit and gather relevant evidence in accordance wit h the Standards.
management processes Implementing risk responses on Internal auditors must determine whether the evidence satisfies
Consolidating the reporting of risks
Evaluating the management’s behalf criteria for information (Sufficient, Reliable, Relevant, and Useful)
Maintaining and developing
reporting of key risks Assuming the ownership of and Information-gathering Methods are a) Documentary Analysis, b) Interviews,
the ERM framework
Reviewing the accountability for risk management c) Focus Groups, d) Testing, e) Observation, and f) Walkthrough
Championing the
management of key risks establishment of ERM When drawing conclusions, the internal auditor must compare the findings with what is
Developing ERM strategy for board approval expected by defined policies and procedures and recognized as good practice
Positive assurance is based on evidence indicating either
conformance or non-conformance to agreed standards
Negative assurance is based on an absence of evidence that would indicate failure
Should be on a temporary basis only with Safeguards and a plan for handing it over to management; with the following provisions:
1. Managing risk is the responsibility of management
2. The audit committee should approve it in advance as a temporary measure
3. The internal audit function should never be required to take on risk management responsibility
4. Any internal audit roles - other than assurance -are considered consulting

Summary of CRMA Book - 1st Edition Page 10 of 14 samehacc1@gmail.com

 Staying aware of the key risks and how management is addressing them
(A) Board’s (B) Assessing the Adequacy of Risk (A) Assurance on Risk Management Processes should consider :
Being familiar with the adopted approach for ris k management Responsibilities related Management fall under several categories:
Knowing how well ERM is operating in the management of key risks to Reporting Identification and assessment of inherent & residual risks
of Key Ris ks The establishment of mitigating controls, contingency
Regularly reviewing the key risks against risk appetite Staff skills and knowledge
plans, and monitoring activities
Senior management involvement
(B) Effective reporting tends to depend on well-defined The maintenance of risk registers
processes, rather than something loosely specified Embedded processes into decision-making
III.B Evaluate the The completion of risk documentation
Reporting of Key Fitness for purpose
Using a variety of risk reporting approaches
Risks Reporting
Tailoring reporting methods to suit the needs of the organization (C) Options for Gathering the Evidence
Monitoring and review
Making reference to recognized risk management standards Responsiv eness to changes
(C) Best Practices in Risk Analyze Sector Trends
Keeping it simple, by limiting the number of key risks to 5–20 Reporting (Walker, Assess Arrangements for Reporting
Shenkir, & Barton) include: Organizational Strategy
Reporting regularly Review Risk Analysis
Review Previous Risk
Updates on risk management action plans Evaluation Reports Observations & Testing
III.D Provide Assurance on Risk
Keeping directors informed without Management Processes Interviews Communicating the Acceptance
duplic ating the work of subcommittees of Unacceptable Risks
Assimilate Information
Training directors to understand their responsibilities
Keeping risk oversight independent of the CEO DOMAIN III Assurance Role
(D) Assurance Approaches
Ensuring information flows up and down of the Internal Auditor Assurance Approaches (ISO 31000)

III.C Provide Assurance that Risks

An assuror Sobel and Reding (2012)
Are Adequately Evaluated
Approaches
Specified subject matter on 2. Key Principles Approach
which assurance is being given Comprehensive Assessment Approach: 1. Validation of Process
Elements Approach 1) Creates and protects value
operates like a combination of the process
The application of criteria for evaluation (A) key Steps to elements and key principles approaches 2) Is integrated in
The consideration of evidence that Assurance (E) How to reach an 1. Communication organizational processes
is sufficient, relevant, and reliable appropriate conclusion Maturity Assessment Approach
2. Context 3) Is part of decision making
An independent and objective audit opinion
A clear scope and a set of objectives for every audit 3. Risk identific ation 4) Explicit ly addresses uncertainty
A target recipient for the audit opinion
Objectives should be referred to throughout the 4. Risk analysis 5) Is systematic, structured & timely
and assurance
evidence-gathering process 5. Risk evaluation 6) Is based on the best
Robust testing methods should include the right available information
6. Risk responses
(B) A Strategic View of Assurance approaches and level of sampling
7. Monitoring and review 7) Is tailored to each organization
Findings must be considered in turn, and conclusions
8) Considers human and cultural factors
Strategy Objective Risk Internal Control Audit & Assurance must be drawn holistically, with a big-picture perspective
Objectivity requires that the internal auditors follow the evidence 3. Maturity Model Approach 9) Is transparent and inclusiv e
without pre-conceived ideas or the desire to prove a point 10) Is dynamic, repetitive
As a result of a systematic review and evaluation Risk management processes should evolve and responsive to change
that reflects the ris ks associated with the area (C) How is the internal and develop along with the organization’s 11) Promotes continuous improvement
being audited, the internal auditors can reach an audit activity able to understanding and attitude toward risk
independent and objective conclusion (opinion) provide assurance? Management Assurance
about the effectiveness of internal controls. (F) Assurance- For evidence of risk maturity evolution, the
Internal Independent Assurance
provider Classes internal auditors look for performance measures
External Assurance that demonstrate risk management progress
Reasonable assurance: Strong (but not absolute)
assurance that requires due professional care
(G) The internal audit activity is the only part of the organiz ation with the competence
(D) Levels of
Absolute assurance: An opinion of total confidence that all to evaluate the effectiveness and efficiency of the assurance provision arrangements
assurance
controls are effectiv e and will remain so cannot be given (H) The internal auditors may rely upon the work of other assurance
providers to express an opinion, but must assess their work periodically

Summary of CRMA Book - 1st Edition Page 11 of 14 samehacc1@gmail.com

 (A) Differences between IV.A.1 Understand the Needs of the Client
Assurance and Consulting
Engagements IV.A Facilitate Identification This requires a series of discussions to ensure that
& Evaluation of Risks both sides are clear and have a shared understanding
Assurance Consulting and common expectations of the desired outcomes
(A) A useful way to achieve this is through a brainstorming
(or “idea shower”) session with the internal auditor It is necessary to come to an agreement about the
Provide an independent opinion based on To offer advice, usually at the request
an objectiv e assessment of evidence of management (B) Instruction tells management what risks it faces and appropriate techniques, level of detail, reference
does the evaluation with the managers material, and benchmarks to be used
The need for consultation is identified in Provide additional assurance by giving
the first place, leading to discussions with management detailed insights on a (C) Facilitation means acting as a resource for It could be very unhelpful to employ a highly
management regarding actions particular aspect of the organization management, enabling the organization to identify its sophisticated approach when neither the complexity of
Assurance for ERM are generally Consultancy is required when there are risks and arrive at its own conclusions about their value the operations nor the present maturity level of the ris k
delivered when everything needed is no systems and processes or they are management processes warrants it
already in place new, incomplete, or less than optimal (D) An effective facilitator must be skilled in:
* Planning facilitation sessions This requires a series of discussions to ensure that
CAE should secure the needed CAE must decline the engagement * Guiding individuals through the facilitation objectively both sides are clear and have a shared understanding
resources from other sources if the or obtain competent advice and to reach their own conclusions and common expectations of the desired outcomes
internal auditors lack the knowledge, assistance if the internal auditors lack * Managing people and time A good starting point (by the internal
skills, or other competencies needed to the knowledge or other competencies * Critical thinking to process and summarize information auditor) is risk management maturity
perform all or part of the engagement needed to the engagement
Internal auditors must not audit areas they Internal auditors may provide consulting
IV.A.2 Confirm the Scope and
had direct responsibility within the past 12 servic es to areas they had direct Domain IV: Consulting Role Objectives with the Client
months responsibility within the past 12 months
Objectives Must be based on risk Objectives Must be consistent with the
of the Internal Auditor
The client is responsible for the objectives
assessment organization’s strategic aims. (E) Facilitation Stages
of advisory services, such as facilitation
Standards require that the objectives, scope,
(B) If an assurance engagement identifies the potential value that consulting IV.A.5 Review the IV.A.4 Facilitate the Activity responsibilities, and expectations must be:
Introduction to
may bring to the same area of review, the scope must not shift from Effectiveness of the a) Clear and agreed, b) Documented (for “significant
Domain IV Activity engagements), c) Specific, d) Consistent with the
assurance to consulting without setting out a new proposition Techniques & Tools organization’s objectives, e) Sufficient
(C) When serving as consultants, the internal auditors must adopt A review is always helpful to sharpen processes for Icebreaker The scope includes the areas of activity to be included
a different mindset from that of assurance, even though they will the future, as well as to check whether something to
Brainstorming in the risk identification and analy sis; such as:
employ the same expertise and build useful knowledge be completed later has been overlooked
* All key or strategic risks for the organization.
A comparison between what was planned Groupthink (herd instinct) * The risks associated with the implementation of a
and what actually occurred will help Survey or Questionnaire new IT system.
identify opportunities for improvement * Specific risks within an area of activity where
(D) Kinds of Consulting Services Checklists and Benchmarks controls have been found to be weak.
(Sawyer’s Guide) Vulnerability assessments &
IV.A.6 Report Outcomes The agreed scope and expectations help
control risk self-assessments determine who should attend the risk
The risk register records risk identific ation
identification and evaluation sessions
Business process improvement. Internal control training. and evaluation
As ideas are generated, the
Continuous monitoring. Participation on The chief audit executive must develop facilitator will summarize at regular Contents for a Consulting Engagement Scope:
committees or task forces. policies governing the custody and retention intervals to keep the event on track a) Responsibilities, b) Timescales, c) Focus, d)
Control self-assessment of risk of consulting engagement records, as well as Deliverables, e) Planned Activity, f) Standards, g)
and control self-assessment. Readiness. The facilit ator could ask participants to Resources Needed
their release to internal and external parties
Forensic auditing. Review of a new product or determine which process is a source of
servic e before implementation. risk with regard to third-party contracts
Governance and ethics training. IV.A.7 Make Recommendations IV.A.3 Plan the Facilitation Exercise
Risk self-assessment. The facilitator should end the session with
Internal control review. /Propose Further Actions a summary and concluding comments The internal auditor must think carefully about
the structure of the activity; who will attend, the
(E) If there are any impediments to independence or objectivity, Internal auditor should discuss wit h the The summary may include a review of timing and location, resources needed, the initial
they must be declared before accepting the engagement client any further actions that may be what has been achieved, comparing the information that needs to go to participants to
required, either to satisfy the original set and achieved objectives for the help them prepare, and the best way to ensure
(F) It is clear that a consulting engagement should not be accepted objectives of the engagement or to build
simply because management requests it. It must be relevant and planned session, and agreeing action points that the desired outcome will be achieved
upon the outcomes of the work completed

Summary of CRMA Book - 1st Edition Page 12 of 14 samehacc1@gmail.com

(A) Coaching: A process of helping others develop through personal growth and discovery (A) As maturity evolves it is likely that risk management activities were
developed initially in silos (i.e., separately in different parts of the organization) (C) Internal auditors are likely to be involved in the
(B) There are different models for coaching, but they all share a
following areas of risk management coordination
common focus on enabling someone else to learn, develop, or achieve
1. Analyzing the audit universe to reveal audit priorities
(C) A coach does not provide the answers to a problem but helps others
to work out a solution that is appropriate for them and their circumstances 2. Analyzing management’s ability to achieve its stated Reviewing documentation
goals in pre-audit narratives and records related to RM
(D) Coaching should not be seen as a way to fix a problem. Rather, it contributes
toward a culture of continuous improvement and increasing risk management maturity 3. Examining internal controls from the top downwards Holding meetings with
managers to ensure they are
4. Analyzing the processes for
aware of their responsibilities
establishing and overseeing risk limits
(E) Difference between (B) Maynard’s Determining timetables and
Mentor & Coach 5. Reviewing other risk management functions, such as list of roles deadlines for risk reviews, risk
treasury & compliance (big picture on risk exposures) the internal register preparation, and updates
Mentor Coach auditors can
6. Observing the strategic planning process and its results Organizing discussions with risk
Someone has a particular experience, A coach may not have specific prior play in risk
7. Evaluating strategic initiatives owners and other stakeholders
knowledge, or skill, and may be more knowledge or experience or be more management
senior than the person being mentored senior than their client activities Providing research and
8. Integrating audit activities
information to support ongoing
The relationship is specific to a period of The focus is not primarily on getting 9. Basing the audit process on the net effect of risk improvement to RM maturity
transition as someone enters a new role someone through a challenging period exposures and compensating controls
or takes on new responsibilities that are (shorter than mentoring) but on equipping
within the mentor’s own experience them for continued success in the future 10. Partnering with management by providing consulting services
IV.C Coordinate Risk Management
11. Reviewing ethic s as a basic element of internal control Activities
(F) The coach needs to understand the present level of performance in the
area to be developed (in this case, responding to risks) and focus attention on 12. Conducting a comprehensive audit of the entire risk
getting the client to explore alternative approaches that can yield improvements management program
(D) Overview of Risk Management
(G) Coaching may be used at any stage in an organization’s risk management maturity Coordination

(H) Benefits of IV.B Coach Management in Review and seek to standardize:

Coaching for Responding to Risks Domain IV: Consulting Role a. Risk identification &
Individual Management
Managers as a Whole of the Internal Auditor evaluation
(M) Considerations When
b. Risk response planning &
Greater Confidence & Self-esteem IA Provide Coaching to implementation
Improved Sense of Management: c. Risk reporting
Greater Potential Collective Responsibility
Scope d. Risk recovery
Greater Skills in Addressing Risk Improved Confidence
in Addressing Risk Safeguards (F) What management requires from risk e. Processes for monitoring &
Improved Motivation & Satisfaction management is a clear and consistent picture continuous improvement
Improved Motivation Objectives of the exposure to risk and the degree of
Greater Abilit y to Sustain
preparedness for materializing risks
d. Infrastructure & processes
Onging Improvement Improve Learning Culture Timescales
Heightened Career Prospects New Capabilities to Be Shared Expectations (G) Internal auditor must ensure that
(E) Goals of Risk Management Coordination:
on both sides all those involved in RM coordination
(I) The need for coaching does not mean that senior management or the board has understand and are applying common
Independence
terminology, and to ensure that teams
Coordination of RM Activities:
concerns about an individual’s ability, and the client should be able to talk freely of internal audit
use common tools for recording risks, a. Single integrated management overview
(J) The best approach to take is to support management in a self-assessment of Management must risk incidents, and mitigation plans b. Common language
the present effectiveness of responding to risk accept responsibility
c. Common documentation
for managing risk (H) If there are inconsistencies, the
(K) The next stage is to help management set goals for improvements
internal auditor may recommend that d. Common methods
management provide guidelines and e. Common standards & objectives
3. Establish goals 2. Identify desired changes 1. Create A safe environment (L) Coaching training to reinforce uniform vocabulary d. Holistic approach to training
Steps
4. Recognize required 5. Facilitate improvement 6. Anticipate 7. Guide through e. Integrated Reporting
improvement of strategy development potential barriers improvement process

Summary of CRMA Book - 1st Edition Page 13 of 14 samehacc1@gmail.com

(A) One of the key roles of a CRO is to bring together Risks are seen as something to be endured (A) A request for consulting must
various pieces of risk reporting. In the absence of a
IV.E Maintain and Develop the Risk
only be for a specified period of time
CRO, the CAE may be asked to undertake this role but The organization faces risk in its external Phase 1 Management Framework
not to become the risk manager (Just a Coordinator) environment through change and
unpredictability, where risks are largely
regarded as threats to achieving goals (B) 5 Phases in RM It does serve to highlight features that are key to risk
Governance & Risk Oversight
Framework Evolution, management frameworks, and may be introduced and
Planning & Decision-making Pickett (2005) developed as the approach becomes more sophisticated.
There are strategic solutions to risks
Regulatory Requirements
Seven Strategic Solutions: RM is enterprise-wide & embedded
Effective Business Monitoring (B) Purposes of Phase 5
Risk Reporting 1. Aligning risk appetite and strategy. Phase 2
Periodic Review To develop the framework, the internal audit or can make
2. Improving decision-making in response to risk.
recommendations to management regarding opportunities to
Maintaining Routine Operations 3. Reducing operational surprises (and losses).
strengthen internal controls, improve efficiency and/or
4. Being aware of and addressing cross-enterprise risks.
To Encourage Accountability effectiveness, add value to reporting arrangements, adopt
5. Integrating responses to multiple ris ks across the organization.
more sophistic ated tools for analysis and evaluation, and add
Provision of Assurance 6. Identifying and taking advantage of upside risks (opportunities).
to the maturity of ris k management processes in any way
7. Improving the deployment of resources informed by risk awareness.
(C) Reporting needs to be planned, wit h a clear RM is recogniz ed
Risk appetite is defined Phase 3
schedule of times, audiences, format, and content Phase 4
IV.D Consolidate List of 11 C’s (determinants of risk appetite) Risk management needs to become a well-defined and distinct
Reporting on Risks 1. Capability 2. Commitment 3. Choice 4. Consistency (albeit, integrated) activity in its own right. This phase is
(D) Considerations of Internal & 5. Context 6. Challenge 7. Communication 8. Clarity 9. something that the organization does as part of its operations.
External Reporting Needs Controls 10. Core value 11. Culture

Internal External
Reporting Reporting
(A) In an extreme case, an organization wholly ignorant of risk would carry on, with
Domain IV: Consulting Role regular surprises and disappointments as a result. This is simply tolerating or accepting
There are disclosure risk with an unlimited appetit e but without any degree of forethought and planning.
The Board requirements for a listed
of the Internal Auditor
(B) Internal auditor could use whistleblowing as a means of
the board needs to know whether risk company’s annual reports, as encouraging management to address risk more robustly
management is operating as intended. It needs shareholders need to know
how secure present value (C) The Auditors’ Contribution,” a basic level of knowledge about risk responses and internal
assurance that risk responses are enabling the
and future earnings are controls is not suffic ient to act as an advocate for ris k management. (Matthew Leitch)
organization to exploit opportunities and IV.F Advocate for the
maintain risk exposures within appetite (D) If the internal auditors are serious about advocating risk management as a robust,
Establishment of Risk
agile, and valuable part of organizational activity, they need to promote risk responses
Sobel and Reding (2012) analyze the reporting needs of the board under: Management that go beyond the obvious. (Matthew Leitch
- Immediate communications: relate to significant risk events.
- Periodic written communications: Periodic reports on key risk indicators. (E) The short reason for advocacy is to improve the enterprise-wide attitude toward risk.
- Periodic presentations: are usually made to coincide with the timetable The longer reason involves deciding which elements need strengthening.
for board meetings. IV.G Develop Risk Management
Strategy for Board Approval (F) Advocacy Steps for Risk
An effective system for such reporting includes tolerance levels that Management
Other
(when exceeded) require escalation to the next level of authority. (A) One of the key responsibilities of the board with
(Staff & Managers)
The purpose of reporting is not only to provide information but also respect to risk management is to approve the strategy
to seek authority and resources to initiate remedial action. 1. Research and Preparation 7. Design Strategies
2. Agree Objectives 8. Plan and Deliver Strategies
(B) Elements of Risk Management Strategy
3. Set Targets and KPls 9. Monitor Delivery

4. Stakeholder Analysis 10. EvaIuate Outcomes

1. Role and Purpose 4. Interdependencies 7. Risk Policies 11. Report to Management
5. Identify Resources Needed
10. Gap Analysis
2. Objectives and KPIs 5. Standards, etc. 8. Processes 6. Develop Key Messages
11. Action Plan
3. Rationale and Principles 6. Definitions 9. Administration

Summary of CRMA Book - 1st Edition Page 14 of 14 samehacc1@gmail.com