Domain II: Principles of risk management processes


The objective of this module is to better prepare the participant to pass the Certification in Risk Management Assurance Exam by discussing and analyzing the technical dimensions of this domain while discussing techniques to best manage multiple-choice questions. 


Included are discussions of the skill requirements of a CRMA to:


A. Benchmark risk management processes using authoritative guidance


B. Evaluate risk management processes related to:


  1. Setting objectives at all levels to achieve strategic initiatives
  2. Identifying risks
  3. Risk analysis and evaluation including correlation, inter-dependencies, and prioritization
  4. Risk response (e.g., avoid, transfer, mitigate, accept), including cost/benefit analysis
  5. Developing and implementing risk mitigation plans
  6. Monitoring risk mitigation plans and emerging risks
  7. Reporting risk management processes and risks, including risk mitigation plans and emerging risks
  8. Periodic review of risk management processes to aid in continuous improvement









Source: The IIA International web site

Principles of Risk Management Processes

Managers put assets at risk to achieve objectives.

Establishing Objectives

Establishing objectives should be the first step in any business process.  Establishing objectives has to be the first step whenever performing a review of business risks or a risk or control analysis.  If the objectives are overlooked, the efforts will be wasted. 

Back to basics: These are the three basic elements of business objectives, risks, and controls which should be addressed in that order.  The very first element and the foundation necessary to be able to address the implementation and adequacy of risk management is an objective.  Any process, physical task, or human effort must have an objective, a clear focus of what is trying to be accomplished.

Some of the general terms associated with the establishment of objectives, in order of decreasing detail are the mission statement, the objectives, and goals.

Generally, the amount of detail to accomplish the objectives increases with the definition of goals.  However, no matter if the mission, objectives, or goals are being discussed it is necessary that a clear focus of what it trying to be accomplished be kept in mind.

 Objectives Must Be Specified First, if objectives are not specified first

·         risk will become overwhelming

·         risk may not be controllable

·         efforts and resources will be wasted




Below are the criteria, most often associated with the definition of goals.  However, they can be utilized for establishing adequate objectives as well:

Specific: means that a definitive outline of what is to be accomplished be identified.  The more specifics that are identified the more likely the objectives will be accomplished effectively and efficiently.  Conversely, the less specifics that are identified the less likely the objectives will be accomplishes as intended.  With fewer specifics, humans will interpret a direction, which may not be in concert with the overall objectives.  Hence, inefficiencies will prevail.     

Measurable: the action to accomplish objectives is subject to technological and human intervention.  Therefore, it is important that a measurable mechanism be put in place to monitor these actions to insure that the intended objectives are being accomplished.  As with any monitoring control the monitoring control should not only include a physical monitoring mechanism but as well an action to adjust deviations beyond accepted limits.  For extensive objectives, (those which may take an extensive time to complete) benchmark / status measurements are appropriate.  This means that periodic measurements at predetermined times be established.  These benchmarks / status measurements will help to guide minor adjustments as they are recognized as opposed to waiting until major adjustments are required.  

Additional comments about benchmarking:  benchmarking is the measuring or comparing of an entity, process, or objective against another real or perceived entity, process, or objective.  Benchmarking measures progress among or between these relationships.  Benchmarking can help establish priorities, targets, and the need for adjustments in the process.

Some uses of benchmarking:

·         develop performance measures

·         develop comparisons of performance relative to goods and services

·         access ideas from proven practices

·         develop best practices

·         maintain a competitive advantage



















Risk Terms


Risk is a concept.  It is a measure of uncertainty (probabilities).  In business processes the uncertainty involves the achievement or the barriers to achieve organizational objectives.  Risk may have positive or negative consequences.  Generally, positive consequences are known as opportunities and negative consequences are called threats or risks.


Consequences are tangible outcomes of risk on the decisions, events, or processes.  Although it can be difficult to identify and measure the intangible risk, (sometimes called soft issues, like lack of moral, bad work ethics, in adequate management style and others) we can and should anticipate the implications of these soft issues. Risk is neither good nor bad, it just "is." 


Consequences can vary in severity depending on a number of factors, some of these factors are:


·         the assets at risk


·         the type of threat


·         the duration of the consequence


·         the effectiveness of controls in place




Exposure is the susceptibility to loss or a perception of a threat to an asset or asset-producing process.  Generally, the more valuable the asset is to achieving the organization's established objectives, the more important that exposure becomes.  Exposure is controlled or diminished by adequate and effective risk management techniques, including designing and maintaining effective controls.


Threat is a combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place.  The type of threat is actually an expression of the type of consequence such as fire, flood, error, omission, delay, fraud, breakdown, and obsolescence.  Threats come from the operation of risk in the environment, regardless of the controls or control environment.  Threats are always present; controls keep them in check (as long as the controls are effective).


The duration of the consequence affects its severity. This can be well described with an example of a computer center. Most computer center managers will tell you, if the computer is down for an hour, that's one consequence.  However, if the computer is down for a day that's another, and if it is down for a week that is another and much more severe!


The Concept of A Control Cannot Exist Without A Clear Focus on The End Achievement

Integrated Control Frameworks

Integrated control frameworks can help identify, measure, and prioritize risk in multiple and related dimensions of a process.  Consequently, they help identify needed controls in these dimensions of the process.


Control Frameworks and Rules and Regulations an Overview


As a reactionary control, because of multiple control breakdowns, in business and government integrated control frameworks began to evolve.  One of the first to emerge was produced by The Committee of Sponsoring Organizations (COSO) of the Treadway Commission headed by James Treadway.  This integrated control framework became know as COSO.


The COSO independent commission summoned input from various business and government professionals.  Their purpose was to develop a standardized risk and control framework which could be applied to any business or process.


In addition to providing a standard for risk and control management, which had been inconsistent to this point among businesses and government entities, this framework would introduce a new concept in risk and control management.  Incorporated in the framework was integration.  This meant that risk and controls would now be evaluated across and vertically in multiple entities of an organization.


With COSO risk and controls would now be evaluated in a holistic view of an entire organization including how various entities synergized or did not synergize for a common objective.


It was realized that the root cause for inadequacies in the hard controls actually resided in the adequacy or inadequacy of the soft controls.  A new component of risk and control management was also introduced with the advent of COSO.  COSO encourages a sincere evaluation of the soft controls and issues.


Traditionally risk and control professionals evaluated the more tangible controls (the hard controls).  The evaluation of these soft controls generally was a new concept to traditional risk and control and business professionals.  Assessment of these soft controls now would require professionals to evaluate such things as morale, ethical values, attitude, management philosophy, and employee competency. 


2.4  Which of the following best describes the three basic parts of a business process?

1.      in order to achieve anticipated objectives, controls must be managed appropriately

2.      objectives must always be considered independently

3.      the management of risk will help achieve objectives

4.      appropriate and timely management of risk, combined with the appropriate management of controls and common sense works best


Answer 4 is the correct answer.  Answers 1 & 3 could be considered correct but using the words “appropriately” and “timely,” answer 4 has a broader scope.  The right amount of controls and when they are applied is important in an adequate control process.  Answer 2 is incorrect because controls should not be considered independently - they are part of a process.