Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

23 Cards in this Set

  • Front
  • Back
Traditional risk management

Traditional risk management is concerned primarily with pure risk. Hazard risk - property damage due to fire and other hazards, and injuries to employees. Operational risk - arise out of services or manufacturing activities (insurance usually doesn't provide a lot of relief for operational risk, mostly hazard risk).

Traditional risk management attempts to prevent or reduce potential losses and compensate for losses that do occur.


Enterprise wide risk management is concerned with all risks, pure and speculative (including hazard and operational). Financial risk - interest rate risk, inflation, market risk. Strategic risk - management decisions regarding new products and planning could result in profit (upside risk - risk organization will out perform its goals, good thing). ERM cannot elimiate risks to the orgs business model.

ERM emphasizes relationships between pure and speculative risk.

Elements of ERM
Elements of ERM (trying to optimize the organization): strategic integration (ERM considers global array of risks affecting an organization, not just pure risk). Performance metrics (ERM seeks to optimize risk taking in relationship to strategic goals, trying to optimize goals by taking into account all risks). Organizational structure (possibly largest element) (in ERM, risk management is decentralized (integrated into all levels of organization, with traditional risk program a small group of risk managers handles risk, with ERM, risk management is spread throughout the org)).

ERM addresses potentially devastating threats.

ERM Organizational structure
Organizational structure: enterprise risk manager is typically referred to as chief risk officer (senior risk professional engaged in ERM). Chief risk officer may report directly to CEO or board of directors of the org. In addition, the CRO helps create a culture in which dept. head and project managers are identified as risk owners. The person closest to the actual risk itself is considered the risk owner, different dept. heads take ownership of the risk and they are responsible for it so it's important everyone communicates effectively. Each manager is responsible for decision-making about risks with their individual unit.
Incorporating ERM

Organization that incorporates ERM with its strategic planning process improves its decision making by: addressing potentially devastating threats, exploiting/optimizing opportunities (won't see with traditional, traditional simply tries to identify loss exposures and reduce severity/frequency and pay for losses), managing unwanted variations from expectations.

Incorporating ERM helps ensure the continuation and success of the organization.

ERM exposure spaces model

Used to identify exposures and opportunities. Uses a graph of x-axis (resources), y-axis (impacts) and z-axis (events).

ERM process framework

ERM process (very similar to risk management process):

1) Establish ERM goals - consider goals for ERM as part of organization's business model (not just looking at hazard losses, talking about opportunities for profit). Must consider organization's risk appetite, and why the ERM program is needed. Define ERM for the organization.

2) Identify risks - at a minimum, top five risks should be identified and targeted for treatment.

ERM process framework pt.2

ERM process framework:

3) Analyzing, evaluating and prioritizing risks. Examine internal and external threats to organization's missions, strategies and goals. Identify changes that could undermine organization. These threats can undermine the org but can also present opportunities in areas such as competition, economy and the ability to meet regulatory requirements.

4) Treat critical risks.

5) Monitoring critical risks - identify trends, triggering events and warning signs during assessment phase.

ERM process enhances the ARM in these three ways
The ERM framework enhances the Associate in Risk Management (ARM) six-stop risk management process in three ways:

ERM establishes internal and external context of the enterprise at the outset (goal setting phase).

ERM requires communication and consultation with all stakeholders (info is not isolated within one team, it's communicated enterprise wide which enhances the process).

ERM adds a decision step (not process step) prior to risk treatment (asks risk manager to determine whether risk is within risk tolerance, extra decision that needs to be made within ERM).

Treating risks
Based on likelihood of risk, organization might use the following risk treatment categories: avoid (alternative strategies to avoid risk, not practical). Accept (retain) (planning to deal with risk). Transfer (assign risk to third party). Mitigate (loss reduction) (do what it takes to reduce risk to tolerable level). Optimize/exploit (optimize positive consequences of risk to achieve gain, benefiting from risk).
Chief Risk Officer
Should review several areas: management's view (management is big participant in ERM), frequency of key risks, process to identify key risks, risk sensitivity on liability management and financing decision, and the role of risk management in strategic decision making.

CRO is the senior risk professional engaged in ERM in an enterprise and pulls everything together but the ownership and decision making is spread throughout the company.

Enhancing decision-making

ERM approach provides following benefits: enhanced decision-making and improved risk communication.

ERM allows for enhanced decision-making. Gives decision-makers access to total risk picture of organization. Increased profitability and reduced volatility. Improved ability to meet goals. Increased management accountability (different managers that are risk owners who are accountable).

Improved risk communication
ERM allows improved risk communication. Eliminates barriers associated with information silos (Info silo is info contained within one group of people). Improves manage consensus, not bottom-up management, it's a collaborative effort. Embraces risk as a component of each decision. Improves buy-in by stakeholders by encouraging cooperation among management.


TRM performance metrics: activities and results, ERM performance metrics: metrics appropriate to the risk.

TRM organizational penetration: limited integration - silos, ERM organizational penetration: systematic integration - owned by all.

TRM outcomes: eliminate, minimize & mitigate risk, ERM optimize risk.

ERM approach improves management consensus by creating a culture that embraces risk as a component of each decision. ERM involves the systematic management of internal and external threats and the exploration of new opportunities. Historically, orgs have focused on quarterly profits and losses but ERM looks at risks affecting long term profitability. E.x. if competitor is undercutting prices, the org can mitigate or avoid.

Major frameworks and standards

Frameworks that are not mandatory: ISO 31000:2009, BS 31100, COSO II and FERMA (don't need to memorize for exam)

Frameworks that are mandatory: Sarbanes-Oxley act of 2002, basel II and solvency II.

ISO 31000:2009
Publication issued by the international Organization for Standardization. Focuses on meeting risk management objectives and the importance of risk communication. Provides generic approach applicable to any industry sector. Must be supplemented with guidelines and tools specific for an industry.
Code of practice published by the British Standards Institution. Provides recommendations for framework, process and implementation. Standards that can be used by risk managers. Goals include ensuring that risks are managed and organization achieves its goals.
Published by Committee of Sponsoring Organizations of the Treadway Management - Integrated Framework. Defines ERM and process driven by board of directors. Initiates dialog with board and senior executives. Focuses on threats to the organization and application of controls. Does not delve into the details of risk management processes and approaches. Best for organization large enough to require risk management examination.

Federation of European Risk Management Associations adopted the Risk Management Standard which contains an organized risk management structure. Establishes consistent terminology. Organized risk management structure. Standard recognizes that risk has both upside and downside. Consists of national risk management associations, individual risk managers and representatives from various sectors.
Basel II
Was issued by the Basel Committee on Banking Supervision. Provides recommendations on banking laws and regulations. Established international standard for banking regulators. Protects international financial system from problems of bank collapse.

Basel and banking both start with "B".

Solvency II
Was developed bu the European Commission. Contains regulatory requirements for insurance firms operating in European Union. Facilitated development of single market for insurance services in Europe.

Solvency is very important for insurance.

AS/NZS 4360

Designed as a risk management framework for many different types of orgs including public sector entities, commercial enterprises, partnerships, proprietorship and charities.


Integrated pollution prevention and control, environment management systems requirements, occupational health and safety assessment series, petroleum and gas industries (offshore production installations), information technology (security techniques), application of risk management to medical devices and space systems risk management.