4 - Workplace: Risk Management Flashcards
Risk
- The effect of uncertainty on objectives” (from ISO 31000)
- Could take the form of threats or opportunities
Risk Management
- “Coordinated activities to direct and control an organization with regard to risk”
- Change probabilities or magnitude of impact on objectives
Benefits of Risk Management
- Strategic alignment of risk levels and management
- •More effective response to risk
- More consistent response across the organization
- Fewer resources wasted
- More integrated vision of risk in the organization
Barriers to Risk Management
- Structural—silo organizational structures
- Cognitive—mindset lacking imagination, or one of unreasonable optimism, resistance to change
- Cultural—poor alignment of the organization’s culture; inadequate communication of the culture’s risk approach
ISO 31000
11 principles—for example:
- Focused on value and continual improvement
- Integrated into all processes and decision making
- Transparency
- Responsive to change
Framework
- Management commitment
- Policies, processes, ethics, values, leaders’ examples, culture
Risk management process
Step 1: Establish the context of risk.
Risk Management
- Know internal and external sources of risk.
- Define risk criteria:
- Risk position (acceptable gain or loss)
- Risk appetite and risk tolerance (acceptable amount of uncertainty)
Strength of Organization’s Governance
Common Misaligned Risks
Moral hazard
- One party engages in risky behavior knowing that another party will incur any resulting loss.
Principal-agent problem
- An agent (ER) makes decisions on behalf of a principal (EE) but has personal incentives not aligned with those of the principal (EE).
Conflict of interest
- A person or organization has the potential to be influenced by two opposing sets of incentives.
Step 2: Identify and analyze risks.
Risk Management
Methods:
- Experts and information sources
- Focus groups and interviews
- Surveys
- Process analysis
- Direct observation
Duty of Care
Employer’s responsibility to take all reasonable steps to ensure the health, safety, and well-being of employees and protect them from foreseeable injury
Risk Formula
Risk level = Probability of occurrence ´ Magnitude of impact
Risk Scorecard
Risk Matrix
Prepare, Act, Park, Adapt (PAPA) model
Key Risk Indicators (KRIs)
Early signals of increasing risk exposure; critical part of preparedness.
- Strategically aligned.
- Developed by identifying root causes of risks and intermediate events.
- Monitor for changes
Risk Register
- Risk category
- Risk event
- Risk classification
- KRIs
- Risk management controls
- Risk owner(s)
- Reporting requirements
Step 3: Manage risk.
Eliminate Uncertainty
Redefine Ownership
Increase/Decrease Effect
Take No Action
Residual Risk
The amount of risk that remains after all management efforts have been exhausted
Implementing Risk Management Plan
- Define objectives.
- Be strategically focused.
- Combine activities and results.
- Combine lagging and leading metrics.
- Modify risks related to noncompliance.
- Instill risk management principles in organization’s members and processes.
- Integrate actions across organization.
- Communicate needs, expectations, and new policies and processes
Emergency Preparedness
- Emergency response planning and training
- Securing employee health and safety
Business Continuity Plan
- Continuation of critical business processes
- Securing and supporting necessary human resources
Crisis Management Process
Contingency Plans
- Policies
- Evacuation and relocation
- Communication
- Training
- Continuity
Managing Workplace Risk
- Security threats
- Cyber threats
- Physical security
- Illness and injury
- Physical
- Chemical
- Biological
- Drug use
- Illegal or legal drugs or alcohol
- Before, during, or after working hours
Step 4: Evaluate.
- Increase transparency and accountability
- Confirm compliance
- Assess the effectiveness of individual strategies
- Assess the effectiveness of the organization’s risk management framework
- Continually improve risk management skills
- Conduct debriefs and incident investigations
- Facilitate and investigate whistleblowing charges (and prevent retaliation).
- Conduct audits.
- Health and safety
- Compliance
- Process
Quality Assurance (QA)
- Helps to ensure that work is performed according to standards and that processes are used correctly and completely.
- Considers proactive, preventive, predictive, and preemptive actions.
Risk management is not static; it is a continuous activity.
Continuous Improvement
Equates to organizational approaches to improve and maintain the quality of risk management processes.
Risk management is not static; it is a continuous activity.
Known Knowns
Events that are to be expected and so involve little uncertainty.
Known Unknowns
Uncertainties that we know exist but we don’t know much about their probability or impact.
Unknown Unknowns
- Risks that we don’t know exist.
- They are the events that “blindside” an organization (or individuals or entire cultures)
Internal and Preventable
Kaplan and Mikes
These risks come from within the organization and could include violations of ethics and failures in routine processes.
Strategy
Kaplan and Mikes
- This is desirable uncertainty that an organization willingly accepts when it commits to a strategy.
- Example: Uncertainty whether loans can be repaid or employees will be fully productive.
External
Kaplan and Mikes
- These sources of uncertainty are outside the organization and beyond its control.
- They would include changes in the economy or laws and regulations, disruptive technologies, and availability of trained employees.
Enterprise Risk Management—Integrated Framework (ERM Framework)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- Considers risk to be an integrated issue that must be managed across functions and divisions in an enterprise.
- 4 categories:
- Strategy
- Operations
- Financial Reporting
- Compliance
Strategy
Enterprise Risk
Risks that affect the organization’s ability to achieve its objectives
Operations
Enterprise Risk
Risks that affect the myriad ways in which the organization creates value
Financial reporting
Enterprise Risk
Risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition
Compliance
Enterprise Risk
Risks associated with meeting the requirements of laws and regulations
Tools to Prevent Risk
- SWOT: assess strategic capabilities in comparison to threats and opportunities
- PESTLE: searches for environmental forces (political, economic, social, technological, legal, environmental)
Risk Position
Organization’s desired gain or acceptable loss in value
Risk Appetite / Risk Tolerance
Single Loss Expectancy
SLE
Expected monetary loss every time a risk occurs:
= Asset Value (AV) x Exposure Factor (EF)
Annualized Loss Expectancy
ALE
Expected monetary loss of an asset due to risk over a one-year period
= Single Loss Expectancy x Annualized Rate of Occurrence (ARO)
Moral Hazard
When one party engages in risky behavior knowing that is protected against the risk because another party will incur any resulting loss.
- Under report accidents to earn incentive
- Overuse health beneifts
- Overestimate an inventory count to understate the cost of goods sold
- Borrow beyond ability to repay the loan
Principal-Agent Problem
(Agency Dilemma)
Economic concept often associated with moral hazard in employment.
- When an employee makes decisions on behalf of the employer but has personal incentives not align with the employer.
Conflict of Interest
MECE
Mutually Exclusive and Comprehensively Exhaustive
Whistleblowing
Reporting of an organization’s violations of policies and processes by employees, applies directly to risk management
