CIA Part 1 Unit 4: Risk Management
Risk - ANSPossibility of an event occurring that will have an impact on achievement of
objectives. Impact v. Likelihood
Risk Management - ANSA process to identify, assess, manage, and control potential events
or situations to provide reasonable assurance regarding achievement of objectives.
Risk Management Process (5) - ANS(1) Identification of context
(2) Risk Identification
(3) Risk Assessment & Prioritization
(4) Risk Response
(5) Risk Monitoring
Step 1 - Identification of Context - ANSContexts can include laws, regs, capital projects,
business processes, technology, market risk, and organizations.
Step 2 - Risk Identification - ANSShould be performed at every level of the entity. Consider
past events and future possibilities. Event Inventories, questionnaires/surveys, leading event
indicators/triggers, facilitated workshops, interviews, process flow analysis, loss event data
methodologies.
Brainstorming, SWOT, Scenario analysis
Step 3 - Risk Assessment and Prioritization - ANSAssess significance, likelihood, means of
managing risk.
Qualitative - Risk ranking, heat maps, matrix
Quantitative - Probability models, how it would affect earnings
Step 4 - Risk Response - ANSHow organization elects to manage individual risks.
Controls - ANSActions taken by management to manage risk and ensure risk responses are
carried out.
Residual Risk - ANSRisk that remains after responses are executed
Step 5 - Risk Monitoring - ANSTrack identified risks, evaluate current response plans,
monitor residual risks, identify new risks.
Who has oversight of risk management? - ANSThe board
Who ensures risk management processes are functioning? - ANSManagement
Who examines, evaluates, reports or recommends improvements for risk management? -
ANSInternal audit activity
, Regarding Risk Management, CAE and IA's should (5) - ANS(1) Obtain a clear
understanding of the org's risk situation
(2) Consider RM frameworks and models
(3) Consider characteristics of the organization
(4) Review the maturity of the org's RM
(5) Have an established process for planning, auditing and reporting RM issues
Maturity levels for risk management (5) - ANS1 Initial
2 Repeatable
3 Defined
4 Managed
5 Optimized
Enterprise Risk Management - ANSCulture, capabilities, and practices, integrated with
strategy-setting and performance that organizations rely on to manage risk in creating,
preserving, and realizing value.
Definition of Culture in ERM - ANSthe attitudes, behaviors, and understanding about risk that
influence management's decisions
Definition of Capabilities in ERM - ANSskills needed to carry out entity's mission and vision
Definition of Practices in ERM - ANSCollective methods used to manage risk
Risk profile - ANScomposite view of types, severity, and interdependencies of risks related to
a specific strategy or business objective and their effect on performance.
Portfolio view of risk - ANScomposite view of risks related to entity-wide strategy and
business objectives and their effects on entity performance
Opportunity - ANSAny action or potential action that creates or alters goals or approaches
for the creation, preservation, or realization of value
Risk inventory - ANSall identified risks that affect strategy and business objectives
Risk Capacity - ANSMax amount of risk the org can assume
Risk appetite - ANSAmounts and types of risks the organization is willing to accept in pursuit
of value
Inherent Risk - ANSRisk in the absence of management actions to alter its severity
Actual residual risk - ANSamount of risk remaining after management actions to alter its
severity
Target residual risk - ANSthe risk the entity prefers to assume knowing that management
has acted or will act to alter its severity.
Risk - ANSPossibility of an event occurring that will have an impact on achievement of
objectives. Impact v. Likelihood
Risk Management - ANSA process to identify, assess, manage, and control potential events
or situations to provide reasonable assurance regarding achievement of objectives.
Risk Management Process (5) - ANS(1) Identification of context
(2) Risk Identification
(3) Risk Assessment & Prioritization
(4) Risk Response
(5) Risk Monitoring
Step 1 - Identification of Context - ANSContexts can include laws, regs, capital projects,
business processes, technology, market risk, and organizations.
Step 2 - Risk Identification - ANSShould be performed at every level of the entity. Consider
past events and future possibilities. Event Inventories, questionnaires/surveys, leading event
indicators/triggers, facilitated workshops, interviews, process flow analysis, loss event data
methodologies.
Brainstorming, SWOT, Scenario analysis
Step 3 - Risk Assessment and Prioritization - ANSAssess significance, likelihood, means of
managing risk.
Qualitative - Risk ranking, heat maps, matrix
Quantitative - Probability models, how it would affect earnings
Step 4 - Risk Response - ANSHow organization elects to manage individual risks.
Controls - ANSActions taken by management to manage risk and ensure risk responses are
carried out.
Residual Risk - ANSRisk that remains after responses are executed
Step 5 - Risk Monitoring - ANSTrack identified risks, evaluate current response plans,
monitor residual risks, identify new risks.
Who has oversight of risk management? - ANSThe board
Who ensures risk management processes are functioning? - ANSManagement
Who examines, evaluates, reports or recommends improvements for risk management? -
ANSInternal audit activity
, Regarding Risk Management, CAE and IA's should (5) - ANS(1) Obtain a clear
understanding of the org's risk situation
(2) Consider RM frameworks and models
(3) Consider characteristics of the organization
(4) Review the maturity of the org's RM
(5) Have an established process for planning, auditing and reporting RM issues
Maturity levels for risk management (5) - ANS1 Initial
2 Repeatable
3 Defined
4 Managed
5 Optimized
Enterprise Risk Management - ANSCulture, capabilities, and practices, integrated with
strategy-setting and performance that organizations rely on to manage risk in creating,
preserving, and realizing value.
Definition of Culture in ERM - ANSthe attitudes, behaviors, and understanding about risk that
influence management's decisions
Definition of Capabilities in ERM - ANSskills needed to carry out entity's mission and vision
Definition of Practices in ERM - ANSCollective methods used to manage risk
Risk profile - ANScomposite view of types, severity, and interdependencies of risks related to
a specific strategy or business objective and their effect on performance.
Portfolio view of risk - ANScomposite view of risks related to entity-wide strategy and
business objectives and their effects on entity performance
Opportunity - ANSAny action or potential action that creates or alters goals or approaches
for the creation, preservation, or realization of value
Risk inventory - ANSall identified risks that affect strategy and business objectives
Risk Capacity - ANSMax amount of risk the org can assume
Risk appetite - ANSAmounts and types of risks the organization is willing to accept in pursuit
of value
Inherent Risk - ANSRisk in the absence of management actions to alter its severity
Actual residual risk - ANSamount of risk remaining after management actions to alter its
severity
Target residual risk - ANSthe risk the entity prefers to assume knowing that management
has acted or will act to alter its severity.
