Assignment 3 Risk Management
.doc
keyboard_arrow_up
School
University of California, Los Angeles *
*We aren’t endorsed by this school
Course
123
Subject
Information Systems
Date
Dec 6, 2023
Type
doc
Pages
6
Uploaded by ProfessorBravery12995
1. How does COSO define risk? How does ISO define risk?
COSO define risk as the possibility that event will occur and affect the achievement of a strategy and objectives." And the International Organization for Standardization (based in Switzerland and abbreviated ISO based on the French translation) very simply defines risk as the "effect of uncertainty on objectives."* 2. What are the five fundamental points embedded in the COSO and ISO definitions of risk?
Risk begins with strategy formulation and setting of business objectives. An organization is in business
to achieve particular strategies and business objectives. Risks represent the barriers to successfully achieving those objectives as well as the opportunities that may help achieve those objectives. Therefore, because each organization has somewhat different strategies and business objectives, they also will face different types of risks. Risk involves uncertainty, which COSO refers to as "The state of not knowing how potential events may or may not manifest."
Risk does not represent a single point estimate (for example, the most likely outcome). Rather, it represents a range of possible outcomes. Because many diffrent outcomes are possible, the concept of a
range is what creates uncertainty when understanding and evaluating risks. Risks may relate to preventing bad things from happening (risk mitiga‹ tion), or failing to ensure good things happen (that is, exploiting or pursuing opportunities). Most people focus on preventing bad outcomesfor example, a hazard that needs to be mitigated or eliminated. While many risks do, in fact, present threats to an organization, risks are also represented by the failure to pursue and achieve positive outcomes. Risks are inherent in all aspects of lifethat is, wherever uncertainty exists, one or more risks exist. The
examples provided in the previous section on the history of risk illustrate how the understanding of risk
has evolved. Those risks SDeciicallv associated with organizations conducting a form r>f businpss arp commonly referred to as business risks. This can be thought of in quite simple terms: uncertainties regarding threats to the achievement of business objectives are considered business risks. 3. According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)? Recognizing culture and capabilities, which are key aspects of ERM. Culture relates to the people at all levels of the organization, including those who establish the mission, strategy, and business objectives, as well as all who carry out risk management practices. ERM helps people understand risk and how it relates to the organization’s strategy and business objectives. Capabilities relate to the skills needed to execute the organization’s mission and vision. An organization that has the capabilities to adapt to changes is better able to compete and thrive in the marketplace. 4. How does COSO define mission, vision, and core values?
Mission, the entity’s core purpose, which establishes what it want to accomplish and why it exist.
Vision, the entity’s aspiration for its future state or what the organization aims to archive overtime.
Core value, the entity’s belief and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of organization
5. How does COSO define strategy and business Objectives?
COSO define strategy as "The organization’s plan to achieve its mission and vision and apply its core values" and business objectives are defined as "Those measurable steps the organization takes to achieve its strategy 6. What are the five COSO ERM components?
The COSO exposure draft describes these five risk components as follows: 1. Risk Governance and Culture: Risk governance and culture together form a basis for all other components of enterprise risk management. Risk governance sets the entity’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. Culture is reflected in decision-making.
2. Risk, Strategy, and Objective-Setting: Enterprise risk management is integrated into the entity’s strategic plan through the process of setting strategy and business objectives. With an understanding of business context, the organization can gain insight into internal and external factors and their impact on
risk. An organization sets its risk appetite in conjunction with strategy-setting. The business objectives allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities.
3. Risk in Execution: An organization identifies and assesses risks that may affect an entity’s ability to achieve its strategy and business objectives. It prioritizes risks according to their severity and considering the entity’s risk appetite. The organization then selects risk responses and monitors performance for change. In this way, it develops a portfolio view of the amount of risk the entity has assumed in the pursuit of its strategy and business objectives.
4. Risk Information, Communication, and Reporting: Communication is the continual, iterative process
of obtaining information and sharing it throughout the entity. Management uses relevant and quality information from both internal and external sources to support enterprise risk management. The organization leverages information systems to capture, process, and manage data and information. By using information that applies to all components, the organization reports on risk, culture, and performance.
5. Monitoring Enterprise Risk Management Performance: By monitoring enterprise risk management performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes. 7. How does COSO define risk appetite?
The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value. 8. what is inherent risk? What is residual risk?
The risk to an entity in the absence of any explicit or targeted actions that management might take to alter the of risk’s severity. The residual risk remaining after management has taken explicit or targeted action to alter the risk’s severity. 9. What are COSO’s five categories of risk response?
Accept the risk at its current level and take no action to affect its severity. Such a response indicates the
severity is within the organization’s risk appetite.
Avoid the risk by divesting or otherwise removing it from the organization’s risk profile. This response
indicates the severity maybe outside the organization’s risk appetite and there is no cost-effective response to bring it within the risk appetite.
Pursue or exploit the risk because taking on such a risk may be advantageous to the organization and may be necessary to achieve a particular business objective. Reduce the risk through application of controls or other risk mitigation activities. Such a response indicates the impact of the risk may go beyond the organization’s risk appetite and actions are necessary to reduce the potential impact. Share or transfer the risk, which may include outsourcing, insuring, or hedging the risk. This option is best when n others can manage the risk more effectively or efficiently than the organization can. 10. In what forms might risk information be communicated?
Communications may be in the form of: Electronic messaging (for example, emails, social media, and text messages). External/third-party materials (for example, industry or trade journals and media reports). Informal/oral (for example, discussions and meetings), public events (for example, roadshows, town hall meetings, and professional conferences). Training and seminars (for example, live or online training, webcasts, and workshops).
Written internal documents (for example, brieing documents, dashboards, and presentations). 11. What are typical ERM responsibilities of:
a. The board of directors? Board of directors. While the board has some role throughout all aspects of ERM, most of its responsibilities relate to the risk governance and culture component. The board’s primary role relates to
principle #1, its risk oversight responsibility. The board also helps management establish the governance and operating models, define culture and desired behaviors, demonstrate commitment to integrity and ethics, and assign accountability and authority for risk management. b. Management? Management. Management is responsible for carrvin0" out all activities of an organization, including ERM. In fact, management is responsible for aspects of all five components of ERM. However, these responsibilities will vary, depending on the level in the organization and the organization’s characteristics The CEO is ultimately responsible for the effectiveness and success of ERM. One of the most important aspects of this responsibility is ensuring that a positive and ethical tone is set. The CEO influences the composition and conduct of the board, provides leadership and direction to senior managers, and monitors the organization’s overall risk activities in relation to its risk appetite. When evolving circumstances, emerging risks, strategy implementation, or anticipated actions indicate potential misalignment with risk criteria, the CEO takes the necessary actions to reestablish alignment. Senior managers in charge of the various organizational units have responsibility for managing risks related to their specific units’ objectives. They convert the organization’s overall strategy into ongoing operations activities, identify potential risk events, assess the related risks, and implement actions to manage those risks. Managers guide the application of the organization’s ERM components relative to and within their spheres of responsibility, ensuring the application of those components is consistent with the board’s and management’s levels of acceptable variation in performance. They assign responsibility for specific ERM procedures to managers of the functional processes. As a result, these managers usually play a more active role in devising and executing particular risk procedures that address the unit’s objectives, such as techniques for risk identification and assessment, and in determining specific risk management strategies, for example, developing policies and procedures for purchasing goods or accepting new customers.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help