Domain I: Organizations and Organizational Culture


The objective of this module is to better prepare the participant to pass the Certification in Risk Management Assurance Exam by discussing and analyzing the technical dimensions of this domain while discussing techniques to best manage multiple-choice questions. 


Included are discussions of the skill requirements of a CRMA to:

A. Assess risk management processes in the context of alignment with strategic imperatives

1)     Objectives of risk management processes

2)     Organization's risk culture

3)     Risk capacity, appetite, and tolerance of organization

B. Assess the processes related to the elements of the internal environment in which organizations seek to manage risks and achieve objectives

1)     Integrity, ethical values, and other soft controls

2)     Role, authority, responsibility, etc., for risk management

3)     Management's philosophy and operating style

4)     Legal / Organizational structure

5)     Documentation of governance-related decision-making

6)     Capabilities, in terms of people and other resources (e.g., capital, time, processes, systems, and technologies)

7)     Management of third party business relationships

8)     Needs and expectations of key internal stakeholders

9)     Internal policies

C. Assess the processes related to the elements of the external environment in which organizations seek to manage risks and achieve objectives

1)     Key external factors (drivers and trends) that may impact the objectives of the organization

2)     Needs and expectations of key external stakeholders (e.g., involved, interested, influenced)

Source: The IIA International web site


Organizations and Organizational Culture


In order for organizations to establish a risk culture, it is first necessary to understand an organization as an entity.  By simple definition, organizations are social entities that are goal-directed deliberately structured activities systems with permeable boundaries.  More specifically, organizations as social entities are people or groups of people who function together to perform the tasks and functions of the organization so that the organization may reach its objectives.


Deliberately structured organizations objectives and goals are typically subdivided into subsets of activities.  Hence, a different perspective of goals and objectives become apparent at the different levels within an organization.  Although, with these different perspectives, these subdivided sets of activities should work toward the overall organization objectives and goals.


With this in mind, the deliberate structure of an organization should facilitate and coordinate the efforts of all of the subdivided sets and move uniformly toward one efficient and effective effort.


All organizations have permeable boundaries that at least should separate them from other organizations.  This is called differentiation.  This distinction defines individual organizations, functions, and purposes.  In terms of competition, differentiation of purpose, product, or service will distinguish one organization from another.  From the competitive perspective this differentiation is what will cause a customer or client to choose one company or organization over another.  Some reasons for these customer/client differentiated choices could be price, location, customer service, quality, likeability of the company, and compatibility with customer needs and wants.  


Organizations probably had more defined and distinctive boundaries in the past However, in these more contemporary times the boundaries of organizations have become and must be more permeable or flexible.  In order to survive it is now necessary that organizations share with each other information, cooperate, and collaborate.  The sharing of technology, ideas, and components as well as international trade are just some examples of the necessity for more permeable boundaries of today’s organizations.


Further organizations can be subdivided into two distinct classes that directly relate to the organizations focus and ability to address their risk and hence their success.  These classes of internal risk and external risk will be discussed later in detail.  Internal risks include training; capabilities of staff and employees; the lack of physical controls such as locks, cameras; and passwords to name a few.   Internal risks can be understood and fixed.  Generally, there is or can be some control over internal risks


External risks on the other hand are the elements that have an impact on the organization but that the organization has little or no control over.  Consequently, the organization, although having little or no control over the advent of these external risks, must plan for and manage these external risks.  External risks can include the environment, weather, interest rates, the economy, international relations, international suppliers, exchange rates, politics, and government rules and regulations.


The two subcategories of organizations that relate to both the internal and external risks are an open organization system and a closed organization system.  A closed system does not depend on the environment in which it operates.  The management of a closed system would be relatively simple to understand and manage; with no external influences to worry about, the closed organization system would most likely be stable and predictable.  A closed organization would be totally autonomous, enclosed and sealed off from the outside world of external influences.  Although possible, it is unlikely that a completely closed organization system by definition could exist in today’s business environment. 


Answer the Following Question.

8.      The Senior Vice President of Operations reports directly to the Chairman and President of Products Inc.  This is a family-owned company which has grown substantially over the past few years.  Now named Products International its growth can be attributed mostly to the purchase of three international companies.  These newly-purchased companies provide similar products as the parent company and were also looking to expand to international markets.  As all of these companies provide generally the same products which type of operating environment is Products International?



product differentiation environment







See Application Questions, Answers & Explanations module for answer




An open system must interact with the environment.  This is a more likely situation in today’s environment.  Open systems can be very complex and must require innovative and proactive management.  Open systems have to find and obtain needed resources, interpret and act on environmental changes (external risks), dispose of outputs, control and coordinate internal and external activities, and manage environmental changes.  Sometimes working closely with competitors and international markets their complexity increases.  Remember as complexity increases so does risk.


Organizational structure definitions are fine to establish a framework for organizational culture but it is people, humans that make an organization function as it is intended.  It is these people that establish the culture for such things as ethics, attitude, moral, risk management, and the establishment and implementation of adequate controls and move the organization toward its objectives most efficiently and effectively. 


Connecting the tone:


Looking from the top-level of an organization downward, upper management is responsible for the entire organization.  Upper management must establish objectives and goals, develop strategy, interpret the external environment, and adjust for the influences that the external environment imposes on the achievement of objectives.  Further upper management must decided upon and influence the organization design and structure.  In more detail, upper management must influence the entire organization toward compliance with laws and regulations, facilitate the accomplishment of goals and objectives, establish the reliability or information to internal and external stakeholders, manage the efficient and effective use of resources, and solidify the safeguarding of assets. 


Probably most importantly is the tone that is established and emulated by top management.  The words, speeches, posters, and newsletters are all fine but without a sincere tone of support and belief from top management, all of the words, speeches, posters, and newsletters are just that and will have little impact on the intended direction of the organization.


Next from the top down are middle managers.  Middle managers are or should be concerned with the functioning of individual departments such as accounts payable, marketing, operations, and human resources to name a few.  These middle managers must interrelate the functioning of their respective departments to the overall goals and objectives of the overall organization.  These middle managers must design and implement effective interrelations of politics, technology, cooperation, along with risk and control management among interfacing departments.


Why the Concern with Third Party Relations?

Some Risks Associated with

Third-Party Relationships

Strategic risk.  Strategic risk is the risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions. Strategic risk can exist when there is an aggressive effort to remain competitive or boost earnings, and or use third-party relationships without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the third party relationship. Strategic risk also arises if management does not possess adequate expertise and experience to properly oversee the activities of the third party.

Reputation risk.  Reputation risk is the risk to earnings or capital arising from negative public opinion.  Of all risks, this can probably be the most harmful both in the long and short terms.  Third-party relationships that do not meet the expectations of customers or clients expose the company to reputation risk. Poor service, disruption of service, inappropriate sales recommendations, and violations of consumer law allowed by third party relationships can result in litigation, loss of business or both.

This is particularly true when the third party's employees interact directly with customers or clients and employ situations or actions are not consistent with the policies and standards of the parent company. In addition, publicity about adverse events surrounding the third parties may increase (reputational risk).

Compliance risk.  Compliance risk is the risk to earnings or capital arising from violations of laws, rules, or regulations, or from nonconformance with internal policies and procedures or ethical standards. This risk exists when products, services, or systems associated with the third-party relationship are not properly reviewed for compliance, or when the third party's operations are not consistent with law, ethical standards, and policies and procedures of the parent company.

Transaction risk. Transaction risk is the risk to earnings or capital arising from problems with service or product delivery. Transaction risk is evident in each product or service offered by the third party on behalf of the parent company. Transaction risk can increase when the products, services, delivery channels, and processes that are designed or offered by a third party do not fit with the parent companies, customer demands, or strategic objectives. A third party's inability to deliver, on behalf of the parent company, products and services, whether arising from fraud, error, inadequate capacity, or technology failure, exposes the parent company to transaction risk.


Risk and control management and the achievement of overall objectives is the responsibility of everyone.  However, in order for this to be successful upper management and the Board of Directors must recognize and manage the internal and external risk as well establish a risk appetite (the amount of risk that is willing to be accepted in order to achieve objectives).  Further, it is the responsibility of the Board of Directors and management to effectively communicate and monitor this risk philosophy and culture to everyone.


 Organizational governance related to risk management

1.3  when upper management is establishing a cultural philosophy they must understand and adjust for:

1.       internal and external politics

2.       internal controls

3.       feedback

4.       internal and external risk

Answer 4 is the correct answer.  The other answers are nice common words but do not apply to this question.  The only answer that may even warrant some consideration would be answer 1.  However, answer 1  is narrow only addressing the politics.  Politics can be a risk but only one risk.  Answer 4 implies multiple internal risks and external risks.  It is much better to understand the implications of as many internal and external risks as possible when developing cultural philosophy.