RIMS CRMP Exam Study Guide Common Terms Already Graded A+

Benchmarking The process of measuring the performance of an organization against external standards of reference that frequently come from similar organizations doing similar things. Corporate governance The system of rules, practices and processes by which a company is directed and controlled Enterprise risk management A strategic discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risk and managing the combined impact of those risks as an interrelated risk portfolio. Strategy: Consider all risks and exploit risks as part of strategy Measurement: Include Upside of Risk (Bugalla and Kugler) Look at building, expanding, exploiting to add value Push and Pull risk performance data This approach is Coordinated & Strategic Gap analysis Comparison of an existing process or procedure to recognized standards in order to identify deficiencies or excesses in the existing process. Technique that can be used to determine what steps might need to be taken to improve the organization's capacity to move from a current state to a desired future state. Key performance indicator (KPI) An activity that signals the achievement of organizational objectives Key risk indicator (KRI) A measurement of how risk and volatility relate to achieving organizational objectives Designed to manage the downside of risk Leading indicators of risk to business performance; giving early warning of potential risk early signal of changes in risk exposures in various areas of the enterprise Risk Metrics Integrated into the performance objectives of the organization for monitoring risks Examples: KPIs and KRIs Indemnification Contractual obligation placed on the indemnifier to return the indemnified to essentially the same financial condition that existed prior to the loss or claim, to stand in as the source for financing the legal liability Contractual Risk Transfer A legally binding agreement between two parties whereby one agrees to indemnify and hold another party harmless for specified actions, inactions, injuries or damages Hold Harmless wording that requires one party to shield the other party from the effects of the legal liability assignable to transfer or obligor Risk Transfer/Sharing Action taken when 1) costs of retaining risks exceeds the organization's risk tolerance; 2) risks (or some portion) can be transferred at a lower cost; 3) risks should be apportioned based on an agreement, and 4) it is required by regulation Insurance Risk-transfer mechanism that ensured full or partial financial compensation for the loss, damage and legal obligations of a policyholder or beneficiary PESTLE analysis Political, Economic, Social, Technological, Legal and Environmental and identifies the categories utilized to analyze internal and external environments. Risk The effect of uncertainty on objectives Chance of Something happening that has an impact on objectives Being prepared for the worst and being poised to exploit opportunities as discovered Risk appetite The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes how much risk the company will take on linked to rewards (risk-return trade-offs) express qualitatively or quantitively Risk attitude An organization's or individuals' view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses. Risk culture The beliefs, values, norms and traditions of behavior of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on the risk(s) the organization confronts and takes. Risk champion Any person in an organization who is a leader and influences peers regarding the value that risk management adds to the organization. Risk governance The architecture within which risk management operates in a company Questions to consider when choosing a governance framework: *Does a Standard/Framework already exist? *How effective is the current paradigm? *What are the gaps between the current and ideal state? *Which Standard/Framework do key Stakeholders prefer? Risk management The process of making and implementing decisions that will minimize the adverse effects of accidental losses on an organization strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio Risk owner An individual accountable for the identification, assessment, treatment, and monitoring of risks in a specific environment the individual who is ultimately accountable for ensuring that a risk/risks are managed appropriately, including the implementation of selected responses. Risk portfolio A complete collection and range of uncertainties that affect an organization's future. Risk tolerance The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category or for a specific initiative usually expressed in quantitative terms with specific minimum and maximum risks that breach organization's risk tolerance should be escalated Root cause A factor that, if removed from a chain of events, causes a problem to not occur or lessens the impact of a problem. Root cause analysis A problem-solving methodology used to find the root causes of problems. Include fault tree analysis, event tree analysis, failure mode and effect analysis, and cause and effect analysis (fishbone) Strategic risk management A business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization's strategy and strategy execution. SWOT analysis Strengths, Weaknesses, Opportunities, and Threats and is an analytical approach for environmental scanning that combines internal and external context with obstacles and accelerators to success in achieving objectives. Can Identify risk related Obstacles ( threats and weaknesses) and Accelerators (Strengths and Opportunities) SMART goals Simple, Measurable, Achievable, Realistic and Timely and refers to characteristics of high quality goals and objectives. Value chain A high-level model developed by Michael Porter used to describe the process by which businesses receive raw materials, add value to the raw materials through various processes to create a finished product, and then sell that end product to customers. Companies conduct value-chain analysis by looking at every production step required to create a product and identifying ways to increase the efficiency of the chain. The overall goal is to deliver maximum value for the least possible total cost and create a competitive advantage the series of functions, processes, materials and activities (inputs) from concept to the eventual end user that creates and builds value at every step in order to deliver a product or service (output). Risk analysis process of characterizing and understanding the nature of risk and of considering the level of risk in the context of the organization's willingness to accept risk. Once identified, Risk is typically analyzed on the basis of likelihood and consequences for the objective or issue under review. Other criteria for measuring and evaluating the significance and effect of risk can be used. Once risk is identified, must: 1. Describe the risk (likelihood, consequences, timing, duration, vulnerability and interdependencies) 2. Measure the risk Quantitative/Qualitative/Assumptions Combination of several Risk Identification Process compromised of finding, recognizing and recording risks Risk Monitoring means "to observe and check the progress or quality of (something) over a period of time; keep under systematic review" Analysis 1. A systematic examination and evaluation of data or information, by breaking it into its component parts to uncover their interrelationships. Opposite of Synthesize. 2. An examination of data and facts to uncover and understand cause-effect relationships, thus providing basis for problem solving and decision making. Strategic Plan complete plan of action for whatever situations might arise in achieving an organization's goals within the established time. An organization's strategic plans will determine the actions the organization will take at any stage of the planning period as circumstances change. Includes company's Vision Statement, Mission Statement, Strategy How does the organization intend to execute the plan of all of the above? Vision Statement Where does the organization want to be in the future? Aspirations? Mission Statement Why does the organization exist? Strategy What will the organization do to accomplish its mission (plan)? COSP Compile, Organize, Synthesize, Prioritize Compile - compile internal and external information Organize - make everything easily accessible Synthesize - combine data in ways that are coherent, logical, and meaningful Prioritize - Choose information that is most relevant and useful Conduct Risk comprises a wide variety of activities and types of behavior that fall outside other main categories of risk (market, credit, liquidity, operational risk). Refers to risks attached to the way a firm behaves in a wide range of market-facing and internal situations. No official definition. Generally agreed to incorporate matters such as how customers are treated, remuneration of staff, and how firms deal with conflicts of Interest. Ernst and Young "Risk Culture: Much Ado about something" A "Learning" Organization supports constructive criticism and healthy debates ADIDS 1. Analyze the Business Model 2. Design Organization Risk Strategies 3. Implementing Risk Process 4. Developing Organizational Risk Competency 5. Supporting Decision Making Risk Profile includes the risk assessment, risk appetite, risk tolerance, and control process Risk Register Tool Used to provide an overview of the organization's risk profile aligned to corporate strategy Risk Competencies developed to differentiate the organization and create a competitive advantage As a discipline, SRM is mastery of risk competencies along a continuum Examples: Knowledge/Understanding of Operations Strong relationships with key stakeholders Ability to assess/plan for accurate number of resources to execute risk strategy Risk awareness Forward looking, long term view into emerging risks Technically risk-savvy reputation Ability to identify, assess, treat risk Clear view into risk materiality and ability to narrow focus Traditional Risk Management Strategy is to transfer risk using insurance Measurement is Total Cost of Risk (TCOR) RIMS Risk Maturity Model RMM Risk Maturity Model: Tool used to measure and share risk management achievements Figure 1 - Pyramid - RIMS Risk Maturity Components 7 Attributes 25 Competency Drivers 68 Key Readiness Indicators Figure 2 - Stairs - RIMS Risk Maturity Levels 1- Ad hoc 2- Initial 3- Repeatable 4-Managed 5- Leadership ERM Governance Model ERM Governance Model: 3 sections of Pyramid Bottom of Pyramid - Business Area Managers "Risk Owners" - they engage in risk assessments, own management of risk treatments, and report on risk exposure/actions in business area Middle of Pyramid - Top Management - they establish risk management policies/tolerances, review and report on significant risk issues, and controls risk governance and infrastructure Top of Pyramid - Governing Body - Ultimate management oversight responsibility Risk Treatments Risk Treatments: Avoid, Accept, Transfer, Mitigate, and/or exploit Risk Governance - Define Roles, Responsibilities, and Accountabilities Risk Governance - Roles, Responsibilities, and Accountabilities- Tree Diagram Far left - For each activity related to an identified risk, designate a Risk Owner Middle - Designate owners for activities that control or modify identified risk Far right - Establish, monitor, and update risk ownership by external stakeholders, such as suppliers