Enterprise risk management Study Guide

📖 Core Concepts Enterprise Risk Management (ERM) – Organization‑wide system for identifying, assessing, and managing risks that could impede strategic objectives. Risk Categories – Operational, Financial (market, credit, liquidity), Compliance, Strategic, Reputational. Risk Appetite – The amount of risk an organization is willing to accept while pursuing its goals. ERM Frameworks – COSO ERM (8 components), ISO 31000 (principles + framework + process), Casualty Actuarial Society (risk type × management process matrix). Risk Response Strategies – Avoidance, Reduction, Sharing/Insurance, Acceptance, Alternative actions. Monitoring & Review – Ongoing checks (reports, committee meetings) to confirm response effectiveness and alignment with objectives. Internal Audit Role – Independent evaluation of ERM processes; conducts annual risk assessment to shape audit plan but does not make risk‑management decisions. --- 📌 Must Remember Eight COSO components: Internal environment, Objective setting, Event identification, Risk assessment, Risk response, Control activities, Information & communication, Monitoring. ISO 31000 pillars: Principles (value‑creation, integration), Framework (structures & resources), Process (identify → analyze → evaluate → treat → monitor → review). Risk response hierarchy: Avoid > Reduce > Share > Accept (choose the most cost‑effective option). Key ERM goals: Unified risk view, coordinated risk functions, alignment of risk info with strategic decision‑making. Common implementation hurdles: Lack of executive sponsor, unclear risk language, undefined risk appetite, incomplete inventory, poor ranking methodology, insufficient ownership, weak cost‑benefit demonstration. --- 🔄 Key Processes Establish Context – Define internal/external environment, governance, and risk‑management culture. Identify Risks – Document threats and opportunities affecting objectives (across all categories). Analyze/Quantify Risks – Estimate likelihood & impact; may involve probability distributions (CAS). Assess Risks – Rank by contribution to aggregate risk profile (consider correlations). Treat Risks – Choose response: avoid, reduce, share/insure, accept, or alternative action. Implement Controls – Deploy policies & procedures to enact chosen responses. Communicate & Report – Ensure risk information flows to relevant stakeholders. Monitor & Review – Continuous measurement, performance checks, and adjustments. (COSO aligns steps 2‑8 within its eight components; ISO 31000 labels them as “process”.) --- 🔍 Key Comparisons COSO vs. ISO 31000 COSO: 8 concrete components, strong focus on governance & internal control. ISO 31000: High‑level principles + framework; more flexible across industries. Risk Avoidance vs. Risk Acceptance Avoidance: Stop the activity that creates the risk. Acceptance: Live with the risk because mitigation cost > benefit. Internal Audit vs. Risk Management Function Internal Audit: Independent evaluator, produces audit plan from risk assessment. Risk Management: Designs & executes risk responses; decision‑making authority. Operational Risk vs. Strategic Risk Operational: Failures in processes, people, systems (day‑to‑day). Strategic: Threats/opportunities affecting long‑term goals and direction. --- ⚠️ Common Misunderstandings “ERM replaces all other risk functions.” – ERM integrates them; existing functions still perform specialized tasks. “Risk acceptance means no action.” – Acceptance still requires monitoring; it’s a conscious decision after cost‑benefit analysis. “ISO 31000 is a strict checklist.” – It provides guiding principles; organizations tailor the process. “Internal audit decides on risk responses.” – Auditors evaluate effectiveness; they do not set responses. --- 🧠 Mental Models / Intuition Risk‑Response Pyramid: Visualize the hierarchy (Avoid → Reduce → Share → Accept) to quickly evaluate the most efficient action. Risk Appetite as a “thermostat”: Sets the temperature (tolerance) for how hot (risky) the organization can operate before cooling (mitigation) is required. Aggregate Risk Distribution: Think of each risk as a bell curve; combining them (considering correlation) yields the overall risk “weather forecast”. --- 🚩 Exceptions & Edge Cases Regulatory mandates may force avoidance or sharing even when cost‑benefit suggests acceptance. Strategic opportunities sometimes merit risk‑taking beyond stated appetite (controlled “risk‑seeking” for growth). Highly correlated risks can amplify aggregate impact; standard ranking may underestimate exposure. --- 📍 When to Use Which Choose COSO when you need a detailed, governance‑focused structure (e.g., public companies, SOX compliance). Choose ISO 31000 for cross‑industry flexibility or when you want a principle‑driven approach. Apply CAS matrix when you require quantitative risk aggregation (e.g., actuarial or insurance settings). Select a risk response by comparing mitigation cost vs. expected loss (use cost‑benefit analysis). --- 👀 Patterns to Recognize “Four Objective Categories” (strategy, operations, financial reporting, compliance) – appears in many exam stems. “Likelihood × Impact” – always signals a risk‑assessment calculation. “Monitoring & Review” – recurring phrase indicating the final COSO component; look for evidence of ongoing measurement. “Risk appetite statement” – signals a need to justify whether a risk is within tolerance. --- 🗂️ Exam Traps Distractor: “Internal audit must implement risk responses.” – Wrong; auditors evaluate, not implement. Distractor: “ISO 31000 mandates a specific risk‑ranking formula.” – Wrong; ISO provides guidance, not a fixed formula. Distractor: “Risk avoidance is always the best strategy.” – Wrong; cost‑benefit may favor reduction or sharing. Distractor: “All ERM frameworks have exactly the same components.” – Wrong; COSO’s 8 components differ from ISO’s 3‑pillar model. ---