ERM Chapter 10

Question 1

Outline four key systems and processes that should be properly documented.

Answer 1

1. RM decisions made and the reasons for those decisions
2. System
3. Financial models, including the assumptions and data employed in the model
4. RM failures, including the nature of failures and losses incurred

Question 2

What are two key requirements of data used for monitoring/reporting purposes?

Answer 2

• Delivered to the users in a timely manner

- Reliable (free from error)

Question 3

Describe five types of communication.

Answer 3

1. Internal - information about what is happening inside the business e.g. cashflow position, sales, inventory levels
2. External (inwards) - collecting relevant information about what is happening outside the company e.g. competitor sales
3. External (outwards) - distributing information about the company to interested parties e.g. media, shareholders, regulators
4. Informal - word of mouth (or technological equivalents such as social media)
5. Formal - through a corporate intranet, management information systems, reports and/or corporate newsletters

Question 4

What are risk metrics?

Answer 4

Risk indicators that are used to indicate when a risk has breached the risk tolerance of the company. These may be quantitative or qualitative, and a number of these may be used at each level of the risk appetite statement for a variety of risks e.g. IT systems downtime and staff turnover rates may be used as an indicator for the level of operational risk an organisation is exposed to.

Question 5

What are Key Risk Indicators?

Answer 5

Where risk metrics are used to form a key part of an organisation’s risk management framework, they are referred to as KRIs. They are used to identify when risk limits are close to being exceeded, and prompt actions designed to keep the organisation within its risk tolerances.

Question 6

Describe the factors an organisation should consider when deciding what KRIs should be used.

Answer 6

• its policies and regulations
• its strategies and objectives
• past losses and incidents
• stakeholder requirements
• its risk assessments

Question 7

List desirable features of a KRI.

Answer 7

• quantifiable
• based on consistent methodologies and standards
• incorporates key risk drivers
• tracked over time
• tied to objectives
• linked to an accountable individual
• useful in decision making
• able to be benchmarked externally
• timely
• cost effective to measure
• simple

Question 8

What is a feedback loop?

Answer 8

Process by which management and other stakeholders are informed of significant issues or changes in the business and/or environment. These may come from sources that provide information on past events, the present or expectations for the future.

Question 9

What are the five main questions to be answered via a risk reporting system?

Answer 9

1. Are our business objectives at risk?
2. Are we in compliance with policies, laws and regulations?
3. What risk incidents have been escalated and require attention?
4. What KPIs and KRIs need attention?
5. What risk assessments need to be reviewed?

Question 10

Outline the key components of a risk report to a board.

Answer 10

• internal and external, qualitative and quantitative information
• a summary of losses and incidents
• a narrative from management on important data and trends
• KPIs and KRIs against risk limits with important deviations and trends highlighted
• important events/milestones e.g. regulatory visit

Risk reports are often split by risk types and operating units, and summaries of key risk areas are generally represented in tabular or graphical form with an indication of likelihood and severity (e.g. traffic light approach).