Risk

Question 1

List four important corporate governance roles with risk

Answer 1

DMCC

1. Defining the risk that the organization is prepared to take in delivering its strategy
2. Ensuring risks are managed and understood
3. Ensuring that robust internal controls are in place to manage risk
4. Creating a risk culture

Question 2

List four Business Risks

Answer 2

1. Reputational risk: the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation.
2. Competition risk: the risk that business performance will be affected because of the actions of the company’s competitors.
3. Business environment risks: the risk that the business environment in which the company operates will change significantly. This may be due to political factors, regulatory factors, economic factors, social and environmental factors or technological factors.
4. Liquidity risk: the risk that the company will have insufficient cash to settle all of its liabilities on time.

Question 3

List four Governance Risks

Answer 3

SIPP

1.Structure – from boards and steering groups to business models and policy frameworks.
2. Processes – from new product processes and communication channels to operations, strategic planning and risk appetite.
3. Information – from financial performance and audit reporting to management, risk and compliance reporting.
4. People and culture – from leadership at the top to accountability and transparency throughout the organisation, including relationships with regulators.

Question 4

What are the three main types of Internal Controls

Answer 4

1. Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
2. Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
3. Corrective controls for dealing with risk events that have occurred and their consequences.

Question 5

What are the five stages for the development of a Risk Management System

Answer 5

DARM-R

1. Definition & Identification
2. Assessment
3. Response
4. Monitoring
5. Reporting

Question 6

List the six categories of risk used for purpose of identification

Answer 6

1. Financial
2. Liquidity
3. Credit
4. Operational
5. Strategic
6. Reputational

Question 7

What is the formula to calculate a risk assessment

Answer 7

Risk Assessment = Likelihood Rating X Impact Rating

Question 8

List 5 benefits of a risk management system?

Answer 8

OMPVC

1. Increases the likelihood of achieving business objectives.
2. Facilitates monitoring and mitigation of risk in key projects and initiatives.
3. Provides a platform for regulatory compliance For financial performance
4. Protects and enhances value by prioritising and focusing attention on managing risk across an organisation.
5. Builds investor, stakeholder and regulator confidence.

Question 9

What are examples of Corporate Governance roles within Risk

Answer 9

1. Defining the risk that the organization is prepared to take in delivering its strategy
2. Ensuring risks are managed and understood
3. Ensuring that robust internal controls are in place to manage risks
4. Creating a risk culture

Question 10

List 4 benefits of a company having a risk committee

Answer 10

1. Focused only on Risk
2. Audit Committee may not have the required skills and experience
3. The composition of the committee is not restricted by the requirements of the corporate governance code.
4. It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.

Question 11

What is the recommended constitution for a Risk Committee?

Answer 11

1. The risk committee should consist of at least three members, all of whom should be independent directors.
2. The Committee should include at least one member of the audit committee and/or remuneration committee and/or include one non-executive director specifically responsible for risk.
3. Members of the committee should have appropriate knowledge, skills, and expertise to fully understand risk appetite and strategy/members as a whole should have relevant risk expertise.
4. The committee as a whole should have relevant competence relevant to the sector in which the company operates.
5. The finance director/CFO and the chief risk officer should attend committee meetings regularly.

Question 12

Provide five functions of a Risk Committee

Answer 12

1. Overseeing the CRO’s role and responsibilities and providing direction on them.
2. Monitoring the behaviour of management to ensure that there is not excessive risk taking and take appropriate actions if such behaviours are discovered.
3. Providing assurance to the board that risk management and processes for control over risk are effective.
4. Providing information to the board to help with strategy formulation
5. Reviewing and approving statements to be included in the annual report concerning internal controls and risk management.

Question 13

List 5 tasks of Internal Audit

Answer 13

1. Value for Money (VFM) audits.
2. Reviewing compliance by the organisation with particular laws or regulations.
3. Risk management assessment
4. Assessing Suitability of controls
5. Reports To Audit Committee/Risk Committee and Board

Question 14

What are five benefits of an internal Audit function

Answer 14

1. Understands the organisation, its culture, operations and risk profile and can add value to the organisation’s processes
2. Can build networks throughout the organisation, become integrated into the company’s business and as such become the ‘eyes and ears’ of the board
3. Provide assurance to stakeholders on the integrity of the organisation’s systems
4. Become an essential part of the checks and balances within the organisation
5. could be a lower-cost option, depending on the make-up of the team.

Question 15

List five areas of illicit activity is a whistleblowing policy designed to uncover?

Answer 15

1. Fraud
2. A serious violation of a law or regulation by the company or by directors, managers or employees within the company
3. A miscarriage of justice
4. Bribery
5. Price-fixing
6. Danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption
7. Neglect of people in care
8. Waste or misuse of public funds
9. Bullying

Question 16

What are the six procedures for the introduction of a whistleblowing procedure

Answer 16

PPPPRM

1.Identify purpose, scope and coverage
2.Develop procedures for reporting a matter
3.Develop process for dealing with, ensuring anonymity and protection of the whistleblower, whilst ensuring ongoing communication
4.Create policy and circulate throughout company
5.Provide reports to to the board (or audit committee)?
6.Ongoing monitoring of procedure

Question 17

Define Risk

Answer 17

the effective of uncertainty on objectives, whether positive or negative.’
International Standard ISO31000

Risk refers to the possibility that something unexpected or not planned for will happen.

Question 18

How should you respond to Risk?

Answer 18

ARTA
1. Avoidance: responses which reduce the likelihood of the risk occurring. This usually means that the organisation shuts down or sells that part of the business that is causing the risk.
2. Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact.
3. Transfer: responses that transfer the risk somewhere else.
5. Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it.

Question 19

What the ways to identify risk?

Answer 19

1. Mind mapping
2. Process mapping
3. Stress testing
4. Use of internally generated documents
   - Business impact studies
   - Market research reports
   - Expert reports on areas such as health and safety, development,

Question 20

What Steps should you put in place for a disaster recovery plan?

Answer 20

Identifying the team of employees who are responsible for dealing with
the breach and for putting the disaster recovery plan in place.

Identifying the key company operations that are reliant on IT systems and which are essential to the company’s business continuity.

Having a back-up IT system which is ring-fenced and could operate as a replacement whilst the IT systems are down and considering how and where employees will be able to access that system.

Setting out the process for identifying the source and impact of the cyber-attack and how it can be halted or contained.

Setting out immediate steps that are needed to control and contain the
incident in the first 24 hours.

Setting out the longer-term steps needed to respond to the incident.

Procedures and protocols for immediate and on-going internal communications to relevant stakeholders

Question 21

What Steps should you put in place for a disaster recovery plan?

Answer 21

Identifying the team of employees who are responsible for dealing with
the breach and for putting the disaster recovery plan in place.

Identifying the key company operations that are reliant on IT systems and which are essential to the company’s business continuity.

Having a back-up IT system which is ring-fenced and could operate as a replacement whilst the IT systems are down and considering how and where employees will be able to access that system.

Setting out the process for identifying the source and impact of the cyber-attack and how it can be halted or contained.

Setting out immediate steps that are needed to control and contain the
incident in the first 24 hours.

Setting out the longer-term steps needed to respond to the incident.

Procedures and protocols for immediate and on-going internal communications to relevant stakeholders

Question 22

What Steps should you put in place for a disaster recovery plan?

Answer 22

Identifying the team of employees who are responsible for dealing with
the breach and for putting the disaster recovery plan in place.

Identifying the key company operations that are reliant on IT systems and which are essential to the company’s business continuity.

Having a back-up IT system which is ring-fenced and could operate as a replacement whilst the IT systems are down and considering how and where employees will be able to access that system.

Setting out the process for identifying the source and impact of the cyber-attack and how it can be halted or contained.

Setting out immediate steps that are needed to control and contain the
incident in the first 24 hours.

Setting out the longer-term steps needed to respond to the incident.

Procedures and protocols for immediate and on-going internal communications to relevant stakeholders