Captive insurance companies are a sophisticated risk financing mechanism used by organizations. A primary advantage is their ability to gain direct access to the wholesale reinsurance market, which can be more efficient and cost-effective than traditional insurance channels (Statement 2). Furthermore, captives can be tailored to provide coverage for unique, complex, or hard-to-place risks for which the commercial insurance market may offer inadequate or prohibitively expensive coverage. This allows the parent organization to obtain greater or more specific cover than is otherwise available (Statement 3).

1. A captive can act as a reinsurer. This is a common structure, where a captive reinsures risks initially underwritten by a commercial "fronting" insurer.

4. A captive is often located in a different country (an "offshore" domicile) than its parent to benefit from a favorable regulatory and tax environment.

1. Porrini

P. (2017). The use of captive insurance companies in enterprise risk management. The Journal of Risk Finance

18(1)

83-101. On page 87

the author lists "access to the reinsurance market" and the ability to "obtain coverage for risks that are uninsurable in the commercial market" as key advantages of captives

directly supporting statements 2 and 3. (https://doi.org/10.1108/JRF-06-2016-0075)

2. Schmit

J. T.

& Dumm

R. E. (2007). A Guide to Captive Insurance Companies. University of Wisconsin-Madison

School of Business

The American Risk and Insurance Association. This guide explains that captives can operate as either a direct insurer or a reinsurer (p. 4)

invalidating statement 1. It also discusses the strategic choice of domicile

listing numerous popular onshore and offshore locations

which demonstrates that the captive and parent need not be in the same country (p. 6)

invalidating statement 4.

3. Cummins

J. D. (2008). The Economics of the Captive Insurance Company. University of Pennsylvania

The Wharton School

Working Paper. Section 2.1 discusses how captives facilitate access to the reinsurance market. The paper also implicitly supports that captives cover risks unavailable in standard markets by noting their use for financing high-severity

low-frequency risks.

The statement is correct. ISO 31000:2018 is explicitly designed as a set of principles and generic guidelines for risk management. It is not a prescriptive or certifiable standard. Its structure is intentionally high-level to be adaptable to any organization, regardless of its size, sector, or specific context. The standard is clearly divided into key sections that provide an outline for both the risk management framework (Clause 5) and the risk management process (Clause 6), demonstrating that it covers both aspects as a generic guide.

The alternative, "False," is incorrect because it would imply that ISO 31000:2018 is either a specific, mandatory set of rules rather than a generic outline, or that it fails to address both the framework and the process. This contradicts the standard's stated scope and purpose, which emphasize its role as a universal guideline that organizations should tailor to their own needs.

1. ISO 31000:2018

Risk management — Guidelines

Introduction

Paragraph 2: "This document provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context." This confirms the "generic" and "guideline" nature of the standard.

Clause 1

Scope: "This document provides guidelines on managing risk and is not specific to any industry or sector." This further reinforces its role as a generic outline.

Figure 1 — Principles

framework and process: This diagram visually represents how the standard outlines the framework and process as two distinct but interrelated core components of risk management

which are detailed in their respective clauses.

Clause 5

Framework & Clause 6

Process: The titles and content of these clauses directly confirm that the standard provides a detailed outline for designing and implementing both the organizational framework for risk management and the systematic process for managing risks.

2. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300.

Abstract & Page 274: The authors describe ISO 31000 as a "generic standard" that "proposes a framework and a process for managing risks." This academic analysis validates that the standard's core structure is an outline for both the framework and the process. (DOI: https://doi.org/10.1057/rm.2012.9)

3. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886.

Page 882: "ISO 31000 is a guideline standard... It describes a generic framework and process for managing risk." Although this refers to the 2009 version

the fundamental principle of providing a generic framework and process was carried forward and refined in the 2018 version

making the reference relevant to the standard's core philosophy. (DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x)

The statement is correct. According to the ISO 31000:2018 standard, "Recording and reporting" is an integral and continuous part of the risk management process. Its purpose is to communicate risk management activities and their outcomes across the organization, provide a reliable basis for decision-making, and facilitate continual improvement. Records create a traceable history of risk activities, decisions, and changes, while reports disseminate this information to relevant stakeholders. Together, they form a "continuing account" that ensures transparency, accountability, and the ongoing review of the risk management framework and its effectiveness.

The alternative, "False," is incorrect because it would imply that records and reports are static, one-off activities rather than a dynamic and ongoing process. This contradicts the core principles of ISO 31000, which emphasize risk management as an iterative process that must be continuously monitored, reviewed, and improved. Without a continuing account provided by records and reports, an organization cannot effectively learn from past activities, demonstrate due diligence, or make informed decisions over time.

1. International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk management — Guidelines.

Clause 6.6

Recording and reporting: This clause explicitly states that the risk management process and its outcomes should be documented and reported. It details the purpose of this activity

which includes communicating activities and outcomes

providing information for decision-making

and improving risk management activities. This continuous flow of documented information constitutes the "continuing account" of the system.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis: An International Journal

30(6)

881-886.

Section: The Risk Management Process (p. 884): The article discusses the components of the ISO 31000 process

including "communication and consultation" and "monitoring and review

" which are intrinsically linked to recording and reporting. It explains

"The results of risk management should be reported to ensure that information is available for decision making and for improving the risk management process and framework." This supports the concept of reporting as an ongoing function that provides a continuous narrative for governance and improvement.

DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300.

Section: A Critical Analysis of the ISO 31000 Standard (p. 285): The authors discuss the importance of formalization and documentation within the ISO 31000 framework. They note that the standard promotes a systematic and documented approach

which is essential for accountability and organizational memory. This formal documentation

through records and reports

provides the continuous history and status account of risk management efforts.

DOI: https://doi.org/10.1057/rm.2012.9

According to the ISO 31000:2018 standard, "Recording and reporting" is a distinct and integral part of the risk management process. This step ensures that the risk management process, its activities, and its outcomes are properly documented and communicated to relevant stakeholders. This documentation provides a basis for accountability, supports decision-making, facilitates continual improvement of the framework and process, and creates an organizational record. The standard emphasizes that the purpose of reporting is to share information, which is crucial for governance, assurance, and improving risk management practices.

A. Auditing is a component of the "Monitoring and review" phase, which uses the recorded information but is not the documentation process itself.

C. Visualizing and conceptualizing are techniques that can be used to understand or communicate risk, not the formal process of documentation defined by the standard.

D. "Rationalizing" is not a term used in the ISO 31000 process; "recording" is the specific term for creating a formal record of risk activities.

1. ISO 31000:2018

Risk management — Guidelines. Clause 6.6

"Recording and reporting

" states: "The risk management process and its outcomes should be documented and reported through appropriate mechanisms... Reporting is a key part of the organization’s governance. It should support decision-making and should be tailored to the needs of different stakeholders." (p. 11).

2. Oliveira

D. L.

de Souza

J. A.

& da Silva

J. P. (2021). The ISO 31000 standard and the implementation of enterprise risk management. Journal of Risk and Financial Management

14(9)

404. In its review of the ISO 31000 process (Section 3.2)

the paper highlights "Recording and Reporting" as a central activity that permeates the entire process

ensuring information is captured and disseminated for decision-making and improvement. (DOI: https://doi.org/10.3390/jrfm14090404).

3. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886. This foundational article on the standard explains that the process is not linear and that activities like communication

monitoring

and reporting are continuous and integral to every step

underscoring the importance of documenting and communicating throughout the framework. (DOI: https://doi.org/10.1111/j.1539-6924.2010.01398.x).

ISO 31000:2018 establishes risk management as a core component of an organization's governance and leadership, fundamentally integrating it with strategy and objective-setting. The standard's framework requires that risk management is not treated as a separate, standalone activity but is woven into all significant decision-making processes, including strategic planning. By managing uncertainty related to the achievement of strategic objectives, risk management directly supports and influences the strategic direction of the organization, thereby functioning as a strategic management process.

The option "False" is incorrect. To suggest that risk management is not a strategic process would be to relegate it to a purely operational or compliance-focused function. This view contradicts the primary purpose and principles of ISO 31000, which emphasize the integration of risk management into the highest levels of organizational governance and decision-making to create and protect value.

1. ISO 31000:2018 - Risk management — Guidelines

Clause 4

Principles. Principle (a) states that for risk management to be effective

it should be "Integrated" and that "Risk management is an integral part of all organizational activities." This includes strategic planning and governance.

2. ISO 31000:2018 - Risk management — Guidelines

Clause 5.3

Integration. This section explicitly states that "Integrating risk management relies on an understanding of organizational structures and context. [...] Risk management should be a part of

and not separate from

the organizational purpose

governance

leadership and commitment

strategy

objectives and operations."

3. Purdy

G. (2010). ISO 31000:2009—Setting a new standard for risk management. Risk Analysis: An International Journal

30(6)

881-886. In the abstract and discussion

the author highlights that the standard's purpose is to integrate risk management into an organization's "overall governance

strategy and planning

management

reporting processes

policies

values and culture

" confirming its strategic nature. (DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x)

4. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. The authors note that ISO 31000 promotes a "holistic and strategic vision of risk management" (p. 274) and is designed to be integrated into the organization's strategic processes. (DOI: https://doi.org/10.1057/rm.2012.9)

ISO 31000:2018 defines risk as the "effect of uncertainty on objectives." While objectives state what an organization wants to achieve, its core processes are the means by which it achieves them. Therefore, linking risk to core processes is a critical factor. The standard emphasizes that risk management must be integrated into all of an organization's activities and functions, including its core operational and management processes. Failure or underperformance of these processes directly creates uncertainty in achieving objectives, making them a fundamental focal point for risk identification and management.

B. Hazard management: This is a subset of risk management that deals specifically with sources of potential harm (negative outcomes), whereas ISO 31000 addresses both positive and negative effects of uncertainty.

C. Risk correlation: This is a specific technique used within the risk analysis step to understand interdependencies between risks, not a primary factor for linking risk to the overall organization's structure.

1. ISO 31000:2018 - Risk management — Guidelines

International Organization for Standardization.

Clause 4

Principle (d) "Integrated": States that "Risk management is an integral part of all organizational activities." This includes core processes.

Clause 5.4.2 "Integration": Explains that integrating risk management requires understanding the organization's "objectives... and processes."

Clause 6.4.2 "Risk identification": Notes that risk identification should consider impacts on objectives and that a possible approach is to analyze "threats to achieving an objective or requirements of a process."

2. Lalonde

C.

& Boiral

O. (2012). "Managing risks through ISO 31000: A critical analysis." Risk Management

14(4)

272-300.

Page 281: The authors discuss that under ISO 31000

risk management is no longer a standalone activity but must be embedded within the "organization’s governance

strategy and planning

management

reporting processes

policies

values and culture." This highlights the centrality of processes. (https://doi.org/10.1057/rm.2012.16)

3. Leitch

M. (2010). "ISO 31000:2009—The new international standard for risk management." Risk Analysis: An International Journal

30(6)

887-892.

Page 890: The article emphasizes that a key principle of ISO 31000 is its integration into organizational processes

stating

"Risk management is not a stand-alone activity... It is part of the responsibilities of management and an integral part of all organizational processes." (https://doi.org/10.1111/j.1539-6924.2010.01426.x)

The scenario describes risks originating from economic changes in the countries where the bank operates. According to ISO 31000, establishing the risk context involves analyzing both internal and external factors. Economic changes, such as inflation, interest rates, and currency fluctuations, are external to the organization and are not within its direct control. These factors are part of the broader marketplace and economic environment. Therefore, classifying these risks as "External – Marketplace" is the most accurate description, as they directly influence the market conditions, competition, and financial landscape in which the bank functions.

A. Internal – Infrastructure.

This is incorrect because economic changes are external to the organization. Infrastructure risks are internal, relating to an organization's physical assets, technology, and facilities.

B. External – Reputational.

This is incorrect because the source of the risk is economic, not reputational. While poor handling of economic challenges could lead to reputational damage, the root cause lies in the marketplace.

1. ISO 31000:2018

Risk management — Guidelines.

Section 6.3.2

Establishing the context: This section states that the external context can include "the social

cultural

political

legal

regulatory

financial

technological

economic

and competitive environment

whether international

national

regional or local." This directly classifies economic changes as an external factor.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886.

Page 884

Section on "Establishing the Context": The article explains that understanding the external environment

including economic factors

is a fundamental step in the ISO 31000 process. It emphasizes that these external drivers create the setting in which the organization pursues its objectives. (DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x)

3. Hopkin

P. (2018). Fundamentals of Risk Management: Understanding

Evaluating and Implementing Effective Risk Management (5th ed.). Kogan Page.

Chapter 11

"Risk Assessment Techniques": This academic textbook

widely used in university courses

discusses risk classification. It aligns with ISO 31000 principles by categorizing external risks using frameworks like PESTLE (Political

Economic

Social

Technological

Legal

Environmental)

confirming that economic factors are a primary category of external risk sources.

ISO 31000:2018 explicitly defines and describes risk management as a systematic and structured process. Clause 6 of the standard is dedicated entirely to this process, outlining its components: establishing the context, risk assessment (identification, analysis, evaluation), and risk treatment. This process takes specific inputs (e.g., organizational objectives, external and internal context), involves a sequence of activities, and produces distinct outcomes (e.g., a better understanding of risks, risk treatment plans, and input for decision-making). The standard's own diagram (Figure 4) visually represents this flow, confirming its nature as a process with inputs, activities, and outcomes.

A. Supply chain management: While it contains numerous processes, it is a broad management discipline, not defined as a singular, specific process within the ISO 31000 framework.

B. Financial management: This is a functional area of management that relies on various processes but is not itself defined as the process in the context of ISO 31000.

C. Quality management: This is a distinct management system (e.g., ISO 9001) with its own process approach, but it is not the subject defined by the ISO 31000 standard.

1. International Organization for Standardization. (2018). ISO 31000:2018 – Risk management — Guidelines.

Clause 6

"Process": This entire section details the systematic activities of risk management

from "Scope

context and criteria" (6.3) through "Risk treatment" (6.5).

Figure 4 — Process: This diagram provides a visual representation of the risk management process

illustrating the flow of activities and the continuous nature of communication

monitoring

and recording.

2. Purdy

G. (2010). ISO 31000:2009—Setting a new standard for risk management. Risk Analysis: An International Journal

30(6)

881-886.

Page 883: The article explicitly identifies the "risk management process" as one of the three core elements of the standard

describing it as a series of steps that organizations should follow. DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300.

Page 275: The authors describe the ISO 31000 standard's approach

stating

"The risk management process proposed by the ISO 31000 standard is based on a series of logical and systematic stages

" reinforcing its definition as a structured process. DOI: https://doi.org/10.1057/rm.2012.13

The primary role of risk management in the strategic planning process is to inform and improve decision-making by systematically addressing uncertainty. According to ISO 31000, risk is the "effect of uncertainty on objectives." Strategic planning is the process of defining these objectives. Therefore, risk management's role is to identify the potential positive effects (opportunities) and negative effects (threats) that could impact the achievement of these strategic objectives. This provides decision-makers with a comprehensive view, enabling the development of a more resilient and realistic strategy that anticipates and prepares for key uncertainties.

A. Challenging decisions is a potential outcome of providing risk insights, but the primary role is to inform and support decision-making, not solely to challenge it.

B. Developing risk treatment plans is a specific, subsequent step in the risk management process (Clause 6.5) that occurs after risks have been identified and evaluated.

C. Risk management provides critical input to decision-makers; it does not draft or make the strategic decisions, which is a core responsibility of governance and top management.

1. ISO 31000:2018

Risk management — Guidelines

Clause 5.4.1

"Integrating risk management into organizational processes." This section explicitly states that risk management should be a part of an organization's "strategy and planning." This integration ensures that the setting of objectives considers the associated uncertainties.

2. ISO 31000:2018

Risk management — Guidelines

Clause 6.4.2

"Risk identification." This clause details the process of finding

recognizing

and describing risks. In the context of strategic planning

this involves identifying events and circumstances (threats and opportunities) that could affect the organization's strategic goals.

3. Purdy

G. (2010). "ISO 31000:2009—Setting a New Standard for Risk Management." Risk Analysis

30(6)

881-886. The paper emphasizes that a core principle of ISO 31000 is its integration into organizational processes

including strategic planning (p. 882). It clarifies that risk management helps organizations achieve objectives by addressing uncertainty

which inherently involves identifying potential positive and negative outcomes. DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

4. Lalonde

C.

& Boiral

O. (2012). "Managing risks through ISO 31000: A critical analysis." Risk Management

14(4)

272-300. This article discusses how ISO 31000 promotes a proactive approach where risk management is embedded in strategic activities

helping to identify factors (threats and opportunities) that could influence the organization's direction and success (p. 275). DOI: https://doi.org/10.1057/rm.2012.9

Risk assurance is the process of providing confidence that an organization's risk management framework and processes are effective, efficient, and operating as intended. Within the ISO 31000 risk management process, "Monitoring and Review" is the specific step dedicated to this function. Its purpose is to assure and improve the quality and effectiveness of the framework's design, implementation, and outcomes. This involves periodically checking risk information, the effectiveness of controls, and the continued relevance of the risk management process itself, which are the core activities of assurance.

A. Evaluation Context: This is not a standard term in ISO 31000. It likely confuses "Risk Evaluation" (a sub-step of risk assessment) with "Establishing Context," neither of which is the primary assurance step.

B. Establishing Context: This is the foundational step of defining the organization's objectives and the internal/external parameters for managing risk. It sets the stage but does not provide ongoing assurance.

C. Communication and Consultations: This is a continuous activity that supports all other steps by ensuring stakeholder engagement and appropriate information flow, but it is not the mechanism for assurance itself.

1. ISO 31000:2018 - Risk management — Guidelines.

Clause 6.6

"Monitoring and review

" states: "The purpose of monitoring and review is to assure and improve the quality and effectiveness of the framework and process design

implementation and outcomes." This clause directly links the monitoring and review step to the concept of assurance.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis: An International Journal

30(6)

881-886.

Page 884

Section "The Risk Management Process

" describes monitoring and review as essential for ensuring that "the risk management framework and process remain appropriate" and for "learning lessons." This continuous verification is the essence of assurance. DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300.

Page 278

in its description of the ISO 31000 process

highlights that monitoring and review is an iterative activity that "should be a planned part of the risk management process" to check for changes and the effectiveness of controls

which are key assurance activities. DOI: https://doi.org/10.1057/rm.2012.9