CMA® > CMA® Part 2 > D.1. Enterprise Risk Management (ERM) > Flashcards

D.1. Enterprise Risk Management (ERM) Flashcards

Explore enterprise risk types, the COSO framework, risk appetite, and capital adequacy. (80 cards)

Study These Flashcards
1
Q

What is the definition of “risk” according to the Institute of Management Accountants (IMA)?

A

Any event or action that can keep an organization from achieving its objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does “uncertainty” differ from “risk”?

A
  • Uncertainty refers to something that is not known or is not definite and can lead to either positive or negative outcomes.
  • The IMA’s definition of risk is framed in negative terms only, as events that might cause harm to an organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the primary objective of enterprise risk management (ERM)?

A

To coordinate risk identification, assessment, and management throughout the entire organization to maximize coverage and reduce the possibility of overlooked risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some benefits of effective risk management that are common to all organizations?

A
  • Increasing shareholder value through minimizing losses and maximizing opportunities
  • Fewer disruptions to operations
  • Better utilization of resources and better cost control
  • More effective strategic planning
  • Timelier assessment of and grasp of new opportunities
  • Better and more complete contingency planning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is contingency planning?

A

A “what if?” planning that prepares a company for possible future events, especially negative ones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the five commonly used classifications of risk?

A
  • Business risk
  • Strategic risk
  • Operational risk
  • Financial risk
  • Hazard risk

Business risk: anything that could cause a variability in earnings

Strategic risk: risk that affects the whole organization

Operational risk: caused by inadequate or failed internal processes, people, or systems

Financial risk: risk connected to the financial health of the company

Hazard risk: risk events that can be insured against

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is business risk?

A

Risk related to anything that could cause a variability in earnings:

  • variability of demand for the company’s products or services
  • variability in the company’s selling prices
  • variability in the price of inputs to the product, supply chain disruptions, and changes to the company’s degree of operating leverage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is strategic risk?

A

Risk affecting the whole organization:

  • economic risk
  • global market conditions
  • reputation risk
  • brand risk (patent and trademark protection)
  • the risk of customers’ needs changing, actions of competitors, and changes in regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is political risk?

A

A type of strategic risk, which arises when political conditions in a country cause a company’s investments or assets to lose value or become worthless.

Examples are taxes, regulations, government bureaucracy, corruption, blockage of fund transfers, inconvertible currency, currency devaluation, inconsistent or contradictory enforcement of laws, expropriation (government seizure of private property), civil unrest, or war.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is operational risk?

A

Risk resulting from inadequate or failed internal processes, people, or systems.

Examples are process execution risk, human resources risk, technological risk, risk of a break in business continuity, risk of customer dissatisfaction, product or service failure, legal risk, and compliance risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is financial risk?

A

Risk that is connected to the financial health of the company.

It includes risks like capital availability; volatility of foreign currencies, interest rates, or commodity prices; concentration of customers and the credit risk associated with a concentration of receivables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is hazard risk?

A

Risk events that can be insured against, such as natural disasters, death of a key employee, or personal injury on the business premises.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk events can be classified as internal risks or external risks. What are some examples of internal risks?

A
  1. Infrastructure risk events
  2. Process-related risk events
  3. Internal technological risk events

Infrastructure risk events such as changes to the organization or its policies

Process-related risk events such as changing the way a product is manufactured

Internal technological risk events such as introducing new software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk events can be classified as internal risks or external risks. What are some examples of external risks?

A
  1. Competition and actions of competitors.
  2. Regulations and the company’s capacity or willingness to comply.
  3. Supply chain disruptions
  4. Political risk
  5. Economic risk, such as the risk of a recession
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the five steps in the risk management process?

A
  • Step One: Risk identification
  • Step Two: Risk assessment
  • Step Three: Risk prioritization
  • Step Four: Response planning
  • Step Five: Risk monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of the first step in the risk management process, risk identification?

A

To identify potential risk events that might adversely impact or otherwise prevent the company from achieving its objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are some techniques for identifying risks?

A
  • Brainstorming sessions
  • Event inventories and loss event data
  • Interviews and self-assessment
  • Facilitated workshops
  • SWOT analysis
  • Risk questionnaires and risk surveys
  • Scenario analysis
  • Use of technology to communicate risk management practices for use by other units or to scan the internet for risks related to the company’s products, services, and reputation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of facilitated workshops in risk identification, the first step of the risk management process?

A

To identify the most critical risks by having a facilitator lead discussions about events that may affect the achievement of the entity’s objectives.

Facilitated workshops can include management, employees, customers, suppliers, or other stakeholders in order to draw on their accumulated knowledge and experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does SWOT stand for, as in SWOT analysis that is used for formulating strategy and identifying risks?

A
  • Strengths
  • Weaknesses
  • Opportunities
  • Threats

Careful consideration of the organization’s weaknesses and threats as a part of the strategic planning process can lead to explicit identification of risks.

Strengths and weaknesses are internal factors, while opportunities and threats are external factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How can risk questionnaires and surveys be used for risk identification in the first step of the risk management process?

A

Questionnaires provide a list of questions relating to specific risks. They can help management think through its risks.

Customer satisfaction surveys, other customer comments, or exit interview comments made by departing employees should be reviewed to identify any situations that might represent risks.

Risk surveys are more open-ended, asking participants to list the most important risks to achieving the company’s strategic objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the focus of scenario analysis in risk identification, the first step of the risk management process?

A

Managers consider various scenarios that could occur and how they would impact the business.

Scenario analysis helps identify multiple risks within a single event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is involved in the second step of the risk management process, risk assessment?

A

Risk assessment is the process of analyzing and quantifying identified risks from three perspectives:

  • the likelihood of the risk’s occurring
  • the potential impact or the relative significance of the event if it does occur
  • the interrelationship of the risks on a unit-by-unit or total organization basis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define:

Inherent risk

A

The level of risk that resides with an event or process prior to management taking a mitigation action.

Inherent risk is risk related to the nature of the activities the company undertakes in the normal course of business. Management cannot do anything about the existence of inherent risk; however, it can take steps to address and, where appropriate, mitigate the effects of inherent risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is residual risk?

A

The level of risk that remains after management has taken action to mitigate the risk.

Residual risk should be reduced to an acceptable level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is risk analytics, and how can it be used in the second step of the risk management process, risk assessment?
Risk analytics is using software to quantify and calculate risk exposure, perform simulation or scenario analysis, document risks, and keep records of actual events and events avoided. Risk analytics can also be used to measure risk concentrations and interdependencies. ## Footnote The accuracy of the result from risk analytics is dependent on the accuracy of the inputs regarding the risk event.
26
What are the two components of exposure to risk that are used in risk assessment, the second step of the risk management process?
* **Loss frequency** or probability * **Loss severity**, or estimated potential monetary loss as well as nonfinancial impacts
27
What is a **risk map**, a qualitative tool used in risk assessment, the second step of the risk management process?
A visual depiction of relative risks, plotting the probability of an event happening on the x-axis of a chart against the estimated monetary impact of the loss on the y-axis. ## Footnote A risk map helps management pinpoint important risks and provides a portfolio view of risks.
28
What is Value at Risk (VaR), a quantitative tool used in risk assessment, the second step of the risk management process?
A measure of the potential loss in value of a risky asset as the result of a specific risk event over a defined period for a given confidence interval. ## Footnote VaR assumes that the possible outcome of the event is represented by a normal distribution.
29
What is the purpose of **Cash Flow at Risk**, a quantitative tool used in risk assessment, the second step of the risk management process?
To measure the likelihood that cash flows will drop by more than a certain amount over a given period.
30
What is **Earnings at Risk**, a quantitative tool used in risk assessment, the second step of the risk management process?
A measure of the confidence interval for a decline in earnings during a specific period by examining how earnings vary around expected earnings.
31
What is the role of **benchmarking**, a quantitative tool used in risk assessment, the second step of the risk management process?
Comparing the company’s risk profile and the impact of potential risks with those of similar companies.
32
What is the objective of risk prioritization, the third step in the risk management process?
After risks have been identified and assessed, the company uses risk prioritization to decide which risks rank the highest in priority and thus should be addressed first.
33
What are the four terms used to express the measurement of potential loss from a specific risk, as used in risk prioritization, the third step of the risk management process?
* Expected Loss * Unexpected Loss * Maximum Probable Loss * Maximum Possible Loss
34
# Define: What is the definition of **expected loss** in the context of risk prioritization?
An amount that management expects to lose to a given risk per year on average over a period of several years. Because the loss is expected, it should be included in the budget.
35
In risk prioritization, how is **expected loss** calculated for a loss event with multiple possible loss amounts?
As the weighted average of all the possible loss amounts, using the probabilities of the possible loss amounts as the weights.
36
In risk prioritization, how is **expected loss** calculated for an event that may or may not happen, and if it does happen, there is only one possible loss amount?
The expected loss is a weighted average, except there are only two possible loss amounts: the amount of the loss if it occurs, and zero if it does not occur. The weighted average for an event that may or may not happen is simply the potential loss amount multiplied by the probability of the loss occurring (because zero multiplied by anything is zero).
37
# Define: **Unexpected loss** from a risk event in the context of risk prioritization.
An **unexpected loss** is the amount that could likely be lost to the risk event in a very bad year that is greater than the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.
38
# Define: **Maximum probable loss** from a risk event in the context of risk prioritization.
The maximum probable loss from a risk event is the largest loss that can occur under foreseeable circumstances. The probable maximum loss to real property is inversely related to the size of the building and to the effectiveness of protections in place (for example, sprinklers, alarm systems, distance from the closest fire station, and so forth). ## Footnote "Maximum probable loss" is also known as "probable maximum loss" or PML.
39
# Define: **Maximum possible loss** from a risk event in the context of risk prioritization.
The **maximum possible (or catastrophic) loss** is the worst-case scenario. It represents the greatest possible loss from a specific risk or event. The maximum possible loss for a building is the complete destruction of the building and all its contents. ## Footnote The maximum possible loss for a financial asset is 100% of the amount invested. For derivatives like a naked call option, the maximum possible loss is unlimited.
40
As used in risk prioritization, what is the purpose of a cost-benefit analysis?
To compare the expected loss from a risk with the cost of the proposed risk response. ## Footnote If the cost to respond is higher than the expected loss from the risk, it may be better not to take any action.
41
In **response planning**, the fourth step in the risk management process after management has identified, assessed, and prioritized risks, management can choose among five different responses for each specific risk. What are the five responses?
* Avoiding or eliminating the risk * Reducing or mitigating the risk * Transferring or sharing the risk * Retained risk or risk retention * Exploiting or accepting a risk
42
One of the potential risk responses is reducing or mitigating the risk. What is an example of reducing or mitigating a risk as a risk response?
Selling or otherwise disposing of a business unit or product line.
43
One of the potential risk responses is avoiding or eliminating the risk. What is an example of avoiding or eliminating a risk as a risk response?
Expanding an existing product line, splitting an IT function into two geographically separate areas, or diversifying in other ways.
44
One of the potential risk responses is transferring or sharing the risk. What is an example of transferring or sharing the risk as a risk response?
The purchase of insurance
45
One of the potential risk responses is retained risk or risk retention. What is an example of retained risk or risk retention as a risk response?
The portion of a loss not covered by insurance, such as a deductible, is retained risk.
46
One of the potential risk responses is exploiting or accepting a risk. What is an example of exploiting or accepting a risk as a risk response?
Deliberately exposing the company to a risk to generate profits. ## Footnote Management must be able to discern which risks should be exploited. The best measure of effective risk exploitation or acceptance is the degree to which the risk taking has increased the value of the company.
47
What is involved in risk monitoring, the fifth step of the risk management process?
After the risk management strategies have been implemented, the company must continue to monitor the situation to ensure that each risk has been addressed as intended. Managers should be surveyed regularly or should report regularly with a current assessment on the likelihood of an identified risk’s occurring.
48
What three items comprise a company's attitude toward risk?
* Risk capacity * Risk appetite * Risk tolerance
49
# Define: Risk capacity
The maximum amount of loss a company could withstand and continue to operate. It is the upper limit of loss that can be borne by a company without going into bankruptcy.
50
# Define: Risk appetite
The broadly defined level of risk an organization is willing to accept in pursuit of value. ## Footnote The ability of an organization to accept risk is dependent on the expectations of its various stakeholders, its regulatory and contractual requirements, and the capabilities of its people, technology, and capital.
51
# Define: Risk tolerance
The amount of risk the company is willing to bear for a specific risk. Risk tolerance is more narrowly focused and specific than risk appetite, and different units may have different tolerances. ## Footnote Operating within its risk tolerances provides management more assurance that the company is remaining within its risk appetite. Remaining within its risk appetite provides a greater degree of assurance to management that the company will achieve its objectives.
52
How can operational risks — risk connected to the day-to-day operations of a business that results from inadequate or failed internal processes, people, or systems — be managed?
Through (1) properly developed, implemented, and maintained internal controls; and (2) continuous reviews of both the business processes and the personnel in the company.
53
How can financial risk — risk connected to the financial health of the company — be managed?
Financial instruments and policies that can help manage finance risk include: * Maintaining commitments such as lines of credit for financing needs * Derivative instruments such as forward or futures contracts, options, and interest rate and foreign currency swaps * Specific policies and procedures for short- and long-term investments, such as the types of investments that are acceptable
54
What is the primary objective of enterprise risk management (ERM)?
Coordination of risk identification, assessment, and management throughout the entire organization, maximizing coverage and reducing overlooked risks.
55
How does enterprise risk management (ERM) differ from traditional risk management?
* **Traditional risk management** involves individual departments and divisions making risk assessments and managing risks. * **ERM** provides a top-down view of key risks facing the organization. It approaches risk management from both the individual department perspective and the overall organizational perspective.
56
What is the purpose of maintaining commitments such as lines of credit in financial risk management?
To maintain access to credit for financing needs.
57
Which financial instruments are used to hedge against foreign currency value fluctuations?
* Forward or futures contracts * Options * Foreign currency swaps
58
What is a **portfolio view of risk** as used in enterprise risk management?
In enterprise risk management, a portfolio view of risk refers to the practice of assessing and managing an organization's risks in aggregate, as an interconnected whole.
59
# True or False: The chief risk officer of a company is responsible for overseeing the company's risk management process.
False ## Footnote In most cases, the **board of directors** is responsible for overseeing the risk management process because risk management requires attention from the highest levels. If a company has a chief risk officer, that person's activities should be supervised by the risk management committee of the board of directors.
60
How can enterprise risk management enhance the function of corporate governance?
ERM can provide assistance for the board of directors, the risk management committee, and the Chief Risk Officer because it examines the company as a whole instead of its separate segments individually. ERM can help a company identify corporate objectives that are at risk and the means to address the risks.
61
What role does corporate governance play in risk management?
It guides management in assessing and handling risk, ensuring processes to identify, prioritize, manage, and monitor critical risks.
62
What is the role of a chief risk officer (CRO)?
To identify, assess, manage and monitor the overall enterprise risk exposures. ## Footnote The chief risk officer's risk management activities should be supervised by the risk management committee of the board of directors.
63
What is the COSO 2017 definition of enterprise risk management (ERM)?
ERM is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when carrying out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.
64
What are the two important concepts expressed in the COSO 2017 definition of ERM?
* ERM is closely integrated with strategy-setting. * The purpose of managing risk is the creation, preservation, and realization of the company's value, that is, the increase of its value.
65
What is the role of **scenario planning** in risk management?
To enable an organization to respond quickly to future, often unpredictable, external events by considering a range of alternatives.
66
What is the purpose of integrating ERM with the Balanced Scorecard?
To enhance performance management by managing and monitoring risks related to the company’s strategic objectives. ## Footnote ERM can be used to identify risks that could prevent achievement of the targets in the Balanced Scorecard. By monitoring the organization’s achievement of the key performance indicators in the Balanced Scorecard, management can assess how effectively its risk mitigation efforts are working.
67
What is the role of the board of directors in enterprise risk management?
* The board of directors is responsible for overseeing the risk management process. * The board must ensure that management has processes to identify, assess, prioritize, manage responses to, and monitor its most critical risks and, when necessary, a clearly defined process to alert the board. * The board must also make sure that these processes are continuously reviewed and improved in response to changes in the business environment.
68
What are the five components of the 2017 COSO ERM framework?
* Governance and Culture * Strategy and Objective-Setting * Performance * Review and Revision * Information, Communication, and Reporting
69
What does the **Governance and Culture** component of the COSO ERM framework involve?
* **Governance** sets the organization’s tone. It reinforces the importance of and establishes oversight responsibilities for enterprise risk management. * **Culture** relates to ethical values, desired behaviors, and understanding of risk in the entity.
70
What does the **Strategy and Objective-Setting** component of the COSO ERM framework involve?
Aligning strategy with risk appetite and setting objectives to identify, assess, and respond to risk.
71
What does the **Performance** component in the COSO ERM framework include?
Identifying and assessing risks that may impact the achievement of the company’s strategy and business objectives; prioritizing the risks; implementing risk responses; and developing a portfolio view of risks.
72
What is the purpose of the **Review and Revision** component in the COSO ERM framework?
To assess how well the components of enterprise risk management are functioning over time and make necessary revisions.
73
What does the **Information, Communication, and Reporting** component in the COSO ERM framework entail?
A continual process of obtaining and sharing necessary information received from both internal and external sources. The communication should flow up, down, and across the organization.
74
What is the benefit of leveraging information systems according to the Information, Communication, and Reporting component in the COSO ERM framework?
To support enterprise risk management by obtaining and sharing necessary information.
75
What is the limitation of enterprise risk management?
Implementing ERM does not mean that the entity will anticipate every risk that could result in loss. ## Footnote In the ERM process, known risks are identified and some previously unknown risks may become known. However, some unknown risks will not be identified.
76
What is the role of capital adequacy in an organization?
An organization with capital adequacy has the resources it will need to survive a significant risk event. Part of the risk management process is for a company to maintain adequate levels of capital in four areas: liquidity, solvency, reserves, and sufficient capital.
77
What is **liquidity** in the context of capital adequacy?
A company's ability to meet its short-term obligations as they come due. A liquid company has access to enough cash or near-cash assets to cover immediate outflows without disruption.
78
What is **solvency** in the context of capital adequacy?
A company's ability to meet its long-term obligations — that is, whether its total assets exceed its total liabilities over time.
79
What are **reserves** in the context of capital adequacy?
Funds or assets that a company deliberately sets aside to use to absorb anticipated losses or unexpected events. Reserves act as a financial buffer, reducing the impact of a risk event on the company's ongoing operations.
80
What is **sufficient capital** in the context of capital adequacy?
Refers to maintaining a capital base that is adequate to support the company's operational needs in the context of its risk profile. A company with greater capital has more risk management tools available to it and is better positioned to absorb losses without their threatening its ability to remain in business.
CMA® Part 2
flashcards
Decks in class (19)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions