13. Risk identification Flashcards
What are the 3 main sources of risk?
- Stakeholders
- Governance
- External events
How do stakeholders give rise to risks
- Counterparty risk
- Litigation risk
- Misalignment of incentives risk
- Adverse selection risk
- Moral hazard risk
- Reputation risk
- Market conduct risk
- Operational risk
- Key person risk
How does governance give rise to risks
- If not sufficient RM process, then absence of sufficient processes is a source of risk
How do external events give rise to risks
- Natural disasters
- Utility failure e.g. loadshedding
- War
- Crime
- Corruption
- Political instability
- Resource
- Pollution
- Climate change
- Demographics
- Changes in tastes
- Foreign affairs
- Technology and economic risks
List some economic sources of risk
- GDP
- Sovereign credit rating
- Unemployment rate
- Interest rate
- Inflation rate
- Balance of trade (export more than import else debt»_space; sovereign rating affected)
- FX rates
- Tax rates
- Foreign investment flows
- Value of commodities
- Business confidence
Outline propertis of emerging risks
- Either new risks or changes in already known risks (or the effectiveness of their controls)
- Subject to high levels of uncertainty and ambiguity
- Difficult to quantify with traditional risk assessment techniques
- Important as could be new opportunity / have major impact on profitabilitt, operations or strategy
Emerging risk trends giving rise to risk management challenges
- Globalisation
- Technology
- Changing market structures
- Restructuring business
What is cyber crime?
- Financial loss, disruption or damage to reputation from some failure of IT systems
Give examples of cyber crime
o Hacking
o Security breaches
o Espionage
o Data theft
o Extortion
o Privacy breaches
o Cyber terrorism
How would you identify and control cyber crime
Identification
* Horizon scanning with experts and external info
Controls
* Strong IT security (e.g. firewalls, malware protection)
* Clear policies and incident management process
* Regular monitoring
* Cyber risk insurance
What is climate change?
- Risk arising from adverse changes in physical environment and secondary impacts in the economy at a regional or global scale
What are the 3 classification effects of climate risk?
o Physical – relates to first-order effects of environmental changes
o Transitional – arises from shift to low carbon economy
o Liability – arises from injured parties wanting compensation
How would you assess climate risk
o Forward looking techniques allowing for constraints and dynamic interactions
List emerging risk
- Cybercrime
- Climate change
- Cloud computing
- Social media
- Fake news
- Legacy systems
- Automation
- Unknown risks
What is the difference between inherent and residual risk
- Inherent risk- risk to org without any risk management actions to change likelihood/impact
- Residual risk – remaining risk after management has taken action to alter likelihood/impact
o May be secondary risk from take another risk response action
A.I.A.E.U.R
Outline the risk identification process
- Analyse business operations and wider environment. Ensuring clear business objectives
- Identify key business risks in structured way
- Obtain agreement on risks faced, relationships between them and accountabilities of each risk and its management
- Evaluate risks in terms of probability, severity and interdependency, gross and net of existing controls
- Produce / update risk register, prioritising top risks for further analyses, quantification and risk mitigation
- Review risk register regularly, especially during times of change. (Ideally integrate assessments into everyday business operations)
idea generation tools to identify risks
Give examples of risk identification tools
- SWOT
- Risk checklist
- Case studies
- Risk prompts lists
- Process analysis
- Risk taxonomy
- Horizon scanning
techniques to implement tools
Give examples of risk identification techniques
- Brainstorming
- Surveys
- Delphi meetings
- Interviews
- Working groups
- Gap analysis
What is a risk register
Document detailing all risks faced by company
List the desired features of a risk register
- Risk numbering system
- Risk categories for each risk- must accommodate risks that fall in different categories
- Risk description
- Risk source
- Risk assessment
o Frequency
o Severity
o Duration
o Correlation - Risk management
o Prioritation
o Risk control
o Risk response
o Risk costs
o Residual risks
o Who is responsible? - Risk monitoring
o Effectiveness of risk control cycle
o Risk occurrence
o Risk damage
o Risk concerns
What is a risk map?
illustrates effect risk may have on company by ranking risk exposures by severity on x-axis and probability on y-axis.
o May also help show results of how effective risk control is by mapping inherent and residual risks
What is a heat map
- Heat map plots severity against control effectiveness rating
What is the problem of bias?
when risks are not identified, assessed or reported in a true and honest way
Give examples of bias
- Overconfidence
- Anchoring
- Representative heuristic
How can you reduce bias?
- Incorporating checks and balances into risk identification and assessment process, e.g.
Independent review
Referencing similar projects - Introducing optimism bias, where capital cost is increased by % based on past cost over-runs
