CHAPTER 5

Created by

マライア

Cards (28)

Risk management process under COSO ERM
Components: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, Monitoring
View source
Risk assessment 
Assessing likelihood and impact of identified risks
Evaluating inherent and residual risks
View source
Risk assessment process 
1. Identify risks
2. Assess likelihood and impact
3. Evaluate inherent and residual risks
View source
Inherent risk 
Susceptibility of the company to risk in the absence of any actions management might take to alter the risk's likelihood or impact
View source
Residual risk 
Risk that remains after applying management's response to the risk
View source
Risk response 
1. Evaluate possible responses
2. Select responses
3. Maintain portfolio view
View source
Control activities 
Preventive, detective, and corrective controls
Controls over information systems
View source
Information and communication 
1. Identify, capture, and communicate pertinent information from internal and external sources
2. Communicate risk management policies and directives
View source
Monitoring 
1. Ongoing monitoring activities
2. Separate evaluations
3. Report deficiencies
View source
Each of the eight COSO ERM components must be present and functioning in a company's risk management process, and must operate in an integrated manner to achieve the four business objectives across the enterprise
View source
Risk rating 
Qualitative (high, moderate, low) or quantitative (0 to 5 score) assessment of likelihood and impact of risks
View source
Management is most concerned with risks that have "high" likelihood and "high" potential impact
View source
Professional judgment is often applied in selecting the appropriate risk rating, incorporating other information
View source
Risk management process 
Components must operate in an integrated manner to achieve business objectives across the enterprise (e.g. entity-level, division, business unit, subsidiary)
View source
Risk Assessments 
1. Assigning Risk Ratings
2. Assess likelihood and impact
3. Assign qualitative risk rating (high, moderate, low)
4. Assign quantitative risk scores (0 to 5)
5. Professional judgment applied
6. Consider historical experience and other information
View source
Likelihood 
Probability of the occurrence of an event
View source
Qualitative ratings for likelihood
Low
Moderate
High
View source
Quantitative ratings for likelihood
1 - Less likely
2 - Likely
3 - Very likely
4 - Virtually certain
View source
Impact 
Magnitude or consequence of the event or risk to the company
View source
Qualitative ratings for impact
Low - Minor effect
Moderate - Medium impact
High - Significant impact
View source
Risk map 
Graphic or visual representation of the likelihood and impact of one or more risks
View source
Interpretation of risks on a risk map
Low likelihood/Low impact - Accept risk
High likelihood/High impact - Mitigate, share or avoid
High likelihood/Low impact and High impact/Low likelihood - Reduce moderate risks
View source
Documentation of risk assessment, risk response, and control activities
Risk assessment template with likelihood, impact, combined score, decision to mitigate/accept, and control activities
View source
Monitoring and testing of the risk management process
1. Ongoing monitoring activities
2. Separate evaluations by internal auditors
3. Report deficiencies to management and board
4. Recommendations to improve risk management and control processes
View source
Inherent risk 
Level of risk before applying management actions
View source
Residual risk 
Risk that remains after applying management's actions
View source
Significant risks must be treated differently from risks that are not significant
View source
If residual risks remain, management should establish and implement additional risk mitigation strategies
View source