Professional Documents
Culture Documents
Summary of CRMA Book ALL Domains
Summary of CRMA Book ALL Domains
Summary of CRMA Book ALL Domains
have an impact on the achievement of objectives • Confirms a common purpose and facilitates
• Provides a starting point for risk management an enterprisewide and embedded approach
Risk Severity: The product of impact and likelihood Definitions of Benefits of
Risk • Enables a clear expression of the objective for risk Defining Risk
AS/NZS: The chance of something happening • May serve as part of the evidence
management to manage residual risk within risk appetite
that will have an impact on objectives Appetite base for a critical decision
• Can be readily communicated and shared
ISO 31000: The effect of uncertainty on objectives • Facilitates the deployment of resources toward
those areas where residual risk remains high
Positive Impact (Benefits) = Upside
Opportunity = positive risk I.A Assess Risk Management
Risk Capacity: The ability to accept risk
Processes in the Context of
Negative Impact = Downside Alignment with Strategic Risk Appetite: The preparedness to accept risk
Risk = Negative risk
Imperatives Risk Tolerance relates to risk appetite but tolerance represents
The main processes of risk management relate to: the application of risk appetite to specific objectives
Analysis, Risk response, Monitoring, & Reporting
While risk appetite is broad, risk tolerance is tactical and
operational
A process, effected by an entity’s board of directors,
management, and other personnel, applied in a strategy Risk I.A.3 Risk Capacity, Once appetit e is defined, then risk management’s role is to
setting and across the enterprise, designed to identify Management - establish internal controls and other measures necessary
Appetite, and Tolerance of
potential events that may affect the entit y, and manage risk Definition to ensure that residual risk falls within the risk appetite
to be within its risk appetit e, to provide reasonable
COSO Organization
assurance regarding the achievement of entity objectives. Risk appetite focuses the attention to areas in which residual ris k
remains above tolerable levels and may facilitate the allocation of
1. Aligning risk appetite and strategy additional resources to better control risk or exploit opportunities
DOMAIN I
2. Enhancing risk response decisions Residual Risk (ISO 31000): The risk remaining after risk treatment
Organizational Governance
3. Reducing operational surprises
Related to Risk Management 5. Risk-enabled
4. Identifying and managing Processes
(Highest)
multiple and cross-enterprise risks The overall attitude and
approach to dealing with 4. Risk-managed
5. seizing opportunities I.A.1 Objectives of Risk risks-either more or less
3. Risk-defined
6. Improving deployment of Capital Management Processes mature or risk aware
2. Risk-aware
Risk maturity: A measure
1. RM exists to serve the organization, not vice versa Requirements for of the level of risk culture 1. Risk-naïve
9. Improve Organizational
2. It needs to be enterprisewide Effective RM 1. Set Risk Appetite Effectiveness (Lowest)
3. It requires a coordinated and consistent framework 2. Identify Risks Cyclical Nature of 8. Increase Risk Maturit y
4. It is not designed to be a brake on ambition RM Processes
3. Analyze Risks 7. Review
5. It needs to be cyclical and iterative I.A.2 Levels of Risk
RM Process 4. Agree Risk Response 6. Monitor & Report
Objectives; to Organization’s Maturity
5. Implement Response Risk Culture
Contribute to the long-term survival of the organization
Maxim ize the value delivered to all stakeholders 1. Leadership and commitment
Be better placed to take advantage 6. Application of risk management to all activities
from the highest levels
Link growth, ris k, and return of opportunities as they arise
7. Encouragement and reward for appropriate risk-taking
2. Adherence to ethical principles
Safeguard the assets and reputation Help an organiz ation become more risk mature as well as sanctions for reckless or negligent approaches
and concern for all stakeholders
by considering its current and future risks
8. Ready access to support and resources for
Facilitate greater operational 3. Recognition of the need for
effectiveness and efficiency Improve the understanding an organization has of itself and Features of the development of risk management skills
effective risk management
its activities to enable better decision-making, operational Successful Risk
Increase the lik elihood of achieving objectives management, and deployment of capital and resources 4. Ready access to reliable information 9. Acceptance of multiple perspectives
Culture (IRM) to challenge the approaches adopted
Comply with legal and regulatory requirements Reduce uncertainty and volatility in those areas of 5. Encouragement to share
10. Alignment of risk culture
Improve organizational learning and resilience organizational activity that do not benefit from being risk-laden information when things go wrong
with the organizational culture
In the 7S framework, the seven dimensions I.B.3 Management’s Autocratic style: Little or no consultation,
(interact & connected mesh) are described as: Philosophy and while power and control are held centrally
Hard elements: that are readily grasped and I.B Assess the Processes Related to the Operating Style
McKinsey 7S
manipulated by management (3 elements: Strategy Elements of the Internal Environment in Characterizing Democratic style: More inclusive, taking account of
Model/ the views and inputs of others and including them in
2. Structure, 3. Systems), and
Framework
Which Organizations Seek to Manage the Style and
Soft elements: that are much less tangible and collective responsibility.
Risks and Achieve Objectives Philosophy of
more difficult to change (4 elements: 1. Style, 2. * Highly decentraliz ed style with plenty of consultation.
Management
Shared Value, 3. Staff, 4. Skills) Laissez-faire: A “hands-off” style with little or
no intervention. (Power is highly decentralized).
Root Cause Analysis: helps prevent additional rework and This style works when routines are very settled
proactively addresses future recurrences of the issue and staff members are highly experienced.
McGregor’s Theory X,
Organizations in many jurisdictions are required to comply Theory Y Model for
Analyze the Style of management
with legislation designed to promote ethical conduct Motivation
It is critical that organizations are clear about the importance of an Blake and Mouton’s Managerial Grid
authentic attempt to establish and maintain an ethical environment Theory X depends almost Concern for Concern for
I.B.1 Integrity, Ethical exclusively on hard controls Style Characteristics
People Tasks
Business ethics: A set of moral principles applied to organizational activity Values, and Other Soft
1. Team High High Participative & Proactive Leadership Style
Controls Theory Y makes much
Business ethics are relevant both to the conduct of individuals and Performance is the Primary focus
greater use of soft controls 2. Produce or Perish Low High
to the conduct of the organization as a whole Management tends to be formal & authoritative
3. Country Club High Low Democratic & inclusive
Employment practices 4. Impoverished Low Low Very laissez-faire "hands off" approach
Confidentiality Codes of Conduct or 5. Middle of the Road Medium Medium Balanced view of tasks & people
Risk management processes may I.B.9 Internal Using the acronym PESTEL to represent influences that
also be guided by policy documents Policies are: Political, Environmental, Social, Technologic al,
that include a description of the Approaches to Economic, Legal.
objectives of risk management and Analyze the
an account of how it is to be External
effected within the organization Porter’s Five Forces model to determine the degree of rivalry that
Environment
exists within segments of a given market or the market as a whole:
1. New Supplier, 2. Power of Customers, 3. Power of Suppliers, 4.
Because internal policies are part of
Substitute Products, 5. Degree of Rivalry
the control environment, it is important
to review the risk management
I.C.2 Needs and Expectations of Key
processes for relevance, timeliness,
and effectiveness External Stakeholders (e.g.,
Involved, Interested, Influenced)
Promoters
Business Risks: stem Non-Business Risks: Risks not II.B.3.iv Risk Level or
from the nature of the arising directly from the nature of (A) Criteria grouped Severity
business itself the business under 2 headings
(A) It is essential to understand the true nature of the risks Vulnerability Determining an appropriate response when
the residual risk is more than risk appetite
(B) There are several intermediate steps between Velocity (speed of reaction & recovery)
II.B.3.ii Risk
the trigger event and the risk itself Analysis Volatility
(B) To measure the true value of the impact, it is necessary
(C) A series of causes and effects can result in significant Interdependency: The causal relationship to isolate the damage or positive opportunity the risk event
consequences when combined, and such events can impact between two or among more risks. would precipitate from other unrelated occurrences
the earnings of the organization dramatically Correlation: The interdependency of two risks
9. Be open and transparent. (F) The emphasis should be on the risks (I) We Can Identify Risks through:
that require the board’s attention
10. Be responsive to change through close
monitoring of the organization’s environment. (G) This does not mean that lesser risks Checklists
can be ignored; however, there should
11. Be focused on continuous improvement. Benchmarking
be an appropriate allocation of effort
12. Be subject to cyclical review. Scenario planning
Vulnerability assessments
1. Internal Environment 5. Risk Response
Risk brainstorming
2. Objective Setting 6. Control Activities
(C) COSO’s ERM
DOMAIN II : Principles of Risk (thought-shower) sessions
7. Information &
3. Event Identification Components
Communication
Management (RM) Processes Control ris k self-
(K) Information should be included assessment (CRSA)
4. Risk Assessment in Ris k Register
8. Monitoring Questionnaires or surveys
Risk identification workshops
A description of the risk event
1. Identify the business objectives for
which the controls are to be assessed II.B.1 Setting Objectives at All Levels to The risk owner
(D) The GAIT-R
Steps Achieve Strategic Initiatives The inherent risk assessment
2. Identify the key controls to provide (Likelihood & Impact) (J) Sobel and Reding (2012)
reasonable assurance that the
The responses to the ris k for Risk Identif ication
business objectives will be achieved
3. Identify the critical IT functionality (A) The vision, mission, and objectives should consistently The residual risk assessment
relied upon for key business controls express what the organization is trying to achieve (Likelihood & Impact) First Step: Looking for the
4. Identif y the significant applications (F) Sobel & Reding, and COSO’s A conclusion events that may precipitate risks
(B) SMART objectives help ensure clarity and
where ITGCs need to be tested effective performance management, as follows: 4 Types of Objectives Second Step: The development
Any actions to be taken
5. Identify ITGC process risks S: Specific, Stated of the risk universe
and related control objectives M: Measurable Monitoring controls to be applied
1. Strategic objectives: Longer
6. Identify the ITGCs to ensure A: Achievable
term (3 or more years)
they meet the control objectives R: Resourced, Realistic, Relevant
T: Time-limited 2. Operational objectives:
7. Perform a reasonable holistic
Shorter term (within 12 months)
review of all key controls identified (C) The overriding aim of organizations tends to
8. Determine the scope of the review be survival not usually at any cost. 3. Reporting objectives: communications 1. Review & update 5. Manage Initiatives
and build an appropriate design and to internal & external stakeholders (G) The 8 Model for 6. Set Objectives
(D) The vision is a statement of where the 2. Communicate
effectiveness-testing program Strategy Execution
organization wants to be or a state of affairs it 4. Compliance objectives: efforts to satisfy 3. Cascade 7. Monitor & coach
wishes to bring about in the future the formal requirements of legislation
4. Compare & leam 8. Evaluate performance
(E) A mission is a statement of the primary
purpose of the organization
Changes in the risk register or new ris ks (C) Three Aims of RM Processes (Sobel & Reding)
Weaknesses identified in the internal control system
(B) RM Reporting
1. To identify and repair weaknesses and faults
Risk incidents (Risks that have materialized as events) Includes
in risk management processes.
Updates on actions taken to treat risks To achieve this aim, it is necessary to review the
II.B.8 Periodic Review of Risk system of risk management processes themselves.
(C) Reporting should consider the information needs of both Management Processes to Aid in 2. To identify changes in the organization’s
internal and external stakeholders Continuous Improvement objectives and environments, and ensure risk
(D) Communication related to risk management processes management processes remain in alignment.
needs to be evidence-based, timely, relevant, and in a format To achieve this aim, it is necessary to review the
that facilitates assim ilation and understanding organizational context.
(E) All organizations run the danger of information overload. Therefore, 3. To determine that the organization is achieving its goals.
focusing on the salient points serves to enhance communication. To achieve this aim, it is necessary to review business
performance as defined for the organization.
(F) It is important to avoid being seduced by what the technology can do,
rather than paying attention to what it reveals about organizational risk DOMAIN II : Principles of Risk
(D) Treasury Board Secretariat (TBS) Guidance
(G) The second line (in the 3 lines of defense “RM function”) is responsible Management (RM) Processes
for reporting adequate risk-related information throughout the organization
Components of a Strategy for Periodic Review of RM processes
Is the process of reporting risk incidents up the line
Clear roles and responsibilities for monitoring and review to all parties
The purpose of escalation is: (H) Risk Effective integration with other oversight and assurance functions
* Partly to keep managers informed of risk incidents, & (E) Seven Areas in Leitch in which RM
Escalation should aim to make progress Careful consideration of the timing of reviews to facilitate
* To precipitate implementation of a contingency plan
participation of all key players, and avoiding clashes
The greater the threat (or opportunity), the higher
Appropriate communication mechanisms to
up the chain the reporting should go; especially if it 1. A greater focus on and investment in internal controls, and a promulgate lessons learned to all key stakeholders
is apparent that the internal controls are ineffective move away from remediation and compliance measures
Well-documented records of expected outcomes from RM
There should be a designated point at which
2. Continued movement toward convergence
escalation is required, starting with risk capture Other performance indicators and measures that are
of internal control and risk management
(the ability to recognize and record that a risk subject to periodic review
event has occurred) 3. The development and adoption of better methods to
quantify risk and move performance metrics away from Outlines the focus of the review to
the traditional high, medium, and low classifications
(I) Contingency Plan Confirm that RM is adding value to decision-making
4. Less focus on the risk register as an end in
Is a provis ional plan for addressing the impact of a risk incident Validate that an organization’s RM approach and
itself, and more emphasis on improving controls,
process are appropriate for its RM needs and remains
Contingency planning should be considered at the point of embedding risk awareness into projects
responsive to its external and internal context
determining the appropriate risk response
5. Greater understanding and application of Ensure ongoing relevance, effectiveness, and
An organization can usually tolerate a higher level of risk if it psychological factors that Impact RM Processes efficiency of the RM approach and process
knows that there is a fallback plan that will recover the situation
after an incident 6. Continued movement toward convergence of risk and Check for new approaches, tools, and ideas
performance management to remove the reliance on two
Given the importance of survival, significant resources are separate systems and overlapping sets of records Assess compliance with relevant laws, regulations, and policies
often allocated to such plans
7. Greater use of a more technical approach to producing risk Assess the allocation of resources in risk
In addition to reporting risk incidents, there is value in registers with addit ional reliance on mathematical models responses as part of a cost-benefit analysis
considering near misses
(H) Assurance mapping: The act of coordinating all assurance activities to As a result of resourcing constraints and other priorities, the
identify and eliminate gaps and overlaps. III.A Review the internal auditors may not be able to review all key risks.
Management of Key Risks This can be addressed partly by coordinating assurance for
those risks from other providers, which will, of course, influence
(I) Internal Audit Roles in ERM the audit-planning process
DOMAIN III Assurance Role
of the Internal Auditor Internal auditors are responsible for evaluating the management
Legitimate Roles of key risks and verifying that necessary stages are in place
Roles Should Not
Core Roles with Safeguards
Undertake
(Temporary basis) Includes:
Setting the risk appetite 1. Key risks are identified
Providing assurance on the Facilitating the identification 2. Emerging key ris ks are identified and monitored closely
risk management process and evaluation of risks Imposing risk 3. Key risks are analyzed, evaluated, and duly prioritized
management processes (F) Management 4. Responses for key ris ks are agreed, implemented and monitored for effectiveness
Giving assurance that risks Coaching management
are correctly evaluated of Key Ris ks:
in responding to risks Managing assurance on risks When reviewing the management of key risks, the internal auditors specify the scope and
Evaluating risk Coordinating ERM activities Making decisions on risk responses objectives of the audit and gather relevant evidence in accordance wit h the Standards.
management processes Implementing risk responses on Internal auditors must determine whether the evidence satisfies
Consolidating the reporting of risks
Evaluating the management’s behalf criteria for information (Sufficient, Reliable, Relevant, and Useful)
Maintaining and developing
reporting of key risks Assuming the ownership of and Information-gathering Methods are a) Documentary Analysis, b) Interviews,
the ERM framework
Reviewing the accountability for risk management c) Focus Groups, d) Testing, e) Observation, and f) Walkthrough
Championing the
management of key risks establishment of ERM When drawing conclusions, the internal auditor must compare the findings with what is
Developing ERM strategy for board approval expected by defined policies and procedures and recognized as good practice
Positive assurance is based on evidence indicating either
conformance or non-conformance to agreed standards
Negative assurance is based on an absence of evidence that would indicate failure
Should be on a temporary basis only with Safeguards and a plan for handing it over to management; with the following provisions:
1. Managing risk is the responsibility of management
2. The audit committee should approve it in advance as a temporary measure
3. The internal audit function should never be required to take on risk management responsibility
4. Any internal audit roles - other than assurance -are considered consulting
Internal External
Reporting Reporting
(A) In an extreme case, an organization wholly ignorant of risk would carry on, with
Domain IV: Consulting Role regular surprises and disappointments as a result. This is simply tolerating or accepting
There are disclosure risk with an unlimited appetit e but without any degree of forethought and planning.
The Board requirements for a listed
of the Internal Auditor
(B) Internal auditor could use whistleblowing as a means of
the board needs to know whether risk company’s annual reports, as encouraging management to address risk more robustly
management is operating as intended. It needs shareholders need to know
how secure present value (C) The Auditors’ Contribution,” a basic level of knowledge about risk responses and internal
assurance that risk responses are enabling the
and future earnings are controls is not suffic ient to act as an advocate for ris k management. (Matthew Leitch)
organization to exploit opportunities and IV.F Advocate for the
maintain risk exposures within appetite (D) If the internal auditors are serious about advocating risk management as a robust,
Establishment of Risk
agile, and valuable part of organizational activity, they need to promote risk responses
Sobel and Reding (2012) analyze the reporting needs of the board under: Management that go beyond the obvious. (Matthew Leitch
- Immediate communications: relate to significant risk events.
- Periodic written communications: Periodic reports on key risk indicators. (E) The short reason for advocacy is to improve the enterprise-wide attitude toward risk.
- Periodic presentations: are usually made to coincide with the timetable The longer reason involves deciding which elements need strengthening.
for board meetings. IV.G Develop Risk Management
Strategy for Board Approval (F) Advocacy Steps for Risk
An effective system for such reporting includes tolerance levels that Management
Other
(when exceeded) require escalation to the next level of authority. (A) One of the key responsibilities of the board with
(Staff & Managers)
The purpose of reporting is not only to provide information but also respect to risk management is to approve the strategy
to seek authority and resources to initiate remedial action. 1. Research and Preparation 7. Design Strategies
2. Agree Objectives 8. Plan and Deliver Strategies
(B) Elements of Risk Management Strategy
3. Set Targets and KPls 9. Monitor Delivery