8. The Risk Management Process Flashcards
0
Q
Objective setting should be an integrated process linking what to what?
A
Top level corporate planning
To business activities and operations
1
Q
What is the starting point for the risk management process?
A
Business objectives
2
Q
As objectives are cascaded down the organisation, they become more —
A
Specific
3
Q
Objectives should be SMART, which means…
A
Specific Measurable Achievable Realistic Time bounded
4
Q
Once objectives have been agreed, they should be — for clarification and referral
A
Documented
5
Q
Define risk IDENTIFICATION
A
The process of determining what events might occur
To affect the objectives of the organisation
And their root causes
6
Q
Define risk ANALYSIS
A
The systematic use of available information
To determine the likelihood of specified events occurring
And the magnitude of their consequences
7
Q
Define risk EVALUATION
A
The process used to determine risk management priorities By comparing the level of risk against Predetermined standards Target risk levels Or other criteria
8
Q
Risk ASSESSMENT is composed of which three sub-processes?
A
Risk identification
Risk analysis
Risk evaluation
9
Q
Risk identification needs to be set in the context of what three things?
A
The organisation’s
Environment
Strategy
Attitude to risk
10
Q
The organisation’s environment includes what six contexts?
A
Political Economic Socio-cultural Technological Legislative Ethical (PESTLE)
11
Q
Strategy is how the organisation plans to…
A
Achieve its objectives
12
Q
Ideally the risk management process should be — in the organisation
A
Embedded
13
Q
What is the aim of risk identification?
A
To generate a comprehensive list of events
That might affect each business objective
Including the possible causes and scenarios
So that risks are well understood
And their management can be planned and implemented
14
Q
Risk management needs to be practise at — — within an organisation
A
All levels
15
Q
Why does risk management need to be practised at all levels of the organisation?
A
Because different kinds of risk, different impacts and probabilities are apparent to people at different levels and locations
16
Q
What are the four high-level methods for identifying risks?
A
Checklists
Benchmarking
Vulnerability assessment
Scenario planning
17
Q
An off-the-shelf checklist of sources of risk should include both — and — factors
A
Internal and external factors
18
Q
When identifying risk, some organisations use a checklist of areas of impact, such as…
A
Increased cost Loss of revenue Assets Personnel Reputation Quality Capacity Capability to deliver
19
Q
In risk identification, what are the limitations of checklists?
A
Difficult to adapt to organisation’s circumstances
May not prompt identification of NEW risks
20
Q
In risk identification, BENCHMARKING provides useful — — on other organisation’s risk activities
A
Comparative information
21
Q
In risk identification, vulnerability assessment entails what?
A
- Analysing processes supporting overall business objectives
- Flagging up where failure or opportunities may occur
22
Q
In risk identification, how does SCENARIO PLANNING basically work?
A
Analysts review PESTLE trends
And devise scenarios
Assigning a probability of occurrence to each
23
Q
Each of the four main methods of risk identification may be used in a range of exercises. These exercises may include…
A
Questionnaires
Brainstorming sessions
CRSA workshops
24
In risk identification, names some advantages of using risk questionnaires
Standardised risk model can be circulated
| Cheap and easy to employ
25
In risk identification, name some drawbacks to the use of risk questionnaires
Depends on level of understanding of respondents
Tend to ask closed questions
Often drawn up by head of IA and may not have management support
26
In risk identification, name some advantages of using brainstorming sessions
Creative - may lead to identification of new risks
| Uses knowledge and experience of management and staff
27
In risk identification, name some disadvantages of brainstorming sessions
Unless used as part of broader programme with other techniques, does not lend itself to risk evaluation, analysis, assessment or risk response selection
28
Where time and management preferences allow, what is the most favoured technique of risk identification?
The risk identification workshop
29
What elements of the risk management process can the risk identification workshop be used to identify?
```
All of them:
Risks
Existing risk management actions
Processes for embedded monitoring
Additional assurance available to management
Evaluation of risks and responses
```
30
USUALLY, participants in a risk identification workshop are restricted to...
Top management of a business unit
31
The value of a risk identification workshop lies as much in participants --- --- the process as the documentation generated
Working through
32
Risk identification workshops have the potential to build --- --- throughout the organisation and provide a sense of --- over risks
Risk awareness
| Ownership
33
Name some drawbacks of risk identification workshops
Can be expensive and tie up people for long sessions
Quality of output dependent on level of understanding and commitment
Sometimes impossible to get entire management team together in the required time frame
34
In risk identification, CRSA is the assessment of risk and controls by ---, not just management
Staff
35
In risk identification, what may CRSA entail?
Anything between a control self-certification signed off by management
Through questionnaires
To a full blown programme of enterprise-wide facilitated risk identification, analysis, evaluation and assessment workshops
36
In its most simplistic form, what are the three stages of CRSA?
Identify objectives for area and risks
Evaluate responses in place or required
Implement and monitor effectiveness of responses
37
The right --- is critically important for CRSA workshops
Facilitator
38
An essential pre-requisite for understanding the likely success of a CRSA programme is an understanding of the organisation's ---
Culture
39
When using CRSA to identify risks, it is essential to obtain proper and full --- from the top, to ensure it is taken seriously and acted upon
Sponsorship
40
Advance --- and --- are essential for CRSA, to ensure participants understand purpose and process
Planning and preparation
41
When planning a CRSA, it is important to select experienced and skilled --- ---
Workshop facilitators
42
The right --- of participants in CRSA ensures contributions are obtained for those who manage, perform and interact with the activities being reviewed
Mix
43
CRSAs should be organised around agreed --- --- to prevent dominance by one individual or group
Ground rules
44
In the course of a CRSA, it is advisable to use a --- --- control framework against which to assess the effectiveness of the risk management activities in place
Good practice
45
In the course of a CRSA, it is vital not to miss --- --- and --- --- risk responses
Cross-functional
| Inter-departmental
46
The results of a CRSA must be r--- to enable appropriate follow-up and ensure agreed actions are pursued to completion
Recording
47
List the potential benefits of CRSA
Articulates organisation's attitude to risk and control
Raises awareness of RM at all levels
Transfers ownership of risk to management and staff
Considers risks and controls in a constructive way
Improves motivation and performance
Provides assurance to senior management on effectiveness of existing controls against risks
Improves level of assurance given to external stakeholders
48
--- --- risk management involves the board identifying key risks and then circulating to management for review
Top-down
49
--- --- risk management involves front line management identifying the key risks and passing them up the line to top management for review
Bottom-up
50
What are the main advantages of top-down risk identification?
```
Strategic focus
Good buy-in at most senior level
Consistency across business units
Manageable number of risks
Speed
```
51
What are the main disadvantages of a top-down approach to risk identification?
Lack of realism
Lack of buy-in at lower levels
Lack of management responsibility for risks or responses
Root causes of risk may elude top management
Superficiality
52
What are the main advantages of a bottom-up approach to risk identification?
Buy-in at all levels of the organisation
Establishment of management responsibility for risks and responses
Avoids "one-size-fits-all" attitude
Assists in discovering root causes of risk
Wide involvement is seen as best practice in risk identification
53
What are the main disadvantages of a bottom-up approach to risk management?
```
Huge volume of detail
May be too blinkered by detail
Lack of strategic focus
Effort required to collect and analyse data
Cost, resources and time commitment
```
54
In risk analysis, --- is the chances or odds of a specific event occurring
Likelihood
55
Likelihood may be expressed in both q--- and q--- terms
Qualitative and quantitative
56
The two types of quantitative expression of likelihood are...
Probability
| Frequency of occurrence
57
What is the advantage of using probability to express the likelihood of a risk occurring?
Simpler to understand
58
What is the disadvantage of using probability to express the likelihood of a risk occurring?
No reference point in time or in severity of impact
59
What is the advantage of using frequency of occurrence to express likelihood?
Takes account of impact and expresses likelihood with reference to time
60
What is the disadvantage of using frequency of occurrence to express likelihood of a risk occurring?
More complex and may be confusing to senior management
61
In risk analysis, --- is the outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain
Impact
62
What are the three broad approaches to risk analysis?
Quantitative
Qualitative
Hybrid
63
The quantitative approach to risk analysis expresses risks --- relative to each other
Numerically
64
Describe the steps in a quantitative approach to risk analysis
Financial value of impact estimated
Assessment made on a number of probability factors to which weightings are assigned
Financial value multiplied by various probability factors
Single rating calculated for each risk
Risks ranked by ratings
65
What are the main advantages of the quantitative approach to risk analysis?
Appeals to quantitative style of management
Clearly ranks risks so that management attention can be focused on key priorities
If only two factors used, risks can be plotted on a graph
66
What are the disadvantages of a quantitative approach to risk analysis?
Complex and time-consuming when multiple risk factors are analysed
If results contrary to common sense they may be ignored - assessor may fudge results
If ratings include adequacy of controls as probability factor they do not make explicit perceived effectiveness of RM activities
67
--- methods of risk analysis judgmentally rate risks relative to each other with descriptive adjectives such as high, medium or low
Qualitative
68
Generally, qualitative risk analyses consider only two risk factors, --- and ---
Impact and likelihood
69
How may impact be rated when using a qualitative method of risk analysis?
High, medium or low
Within broad financial bands
According to non-financial impacts (e.g., minor injury, serious injury, single fatality, etc)
70
What are the advantages of qualitative risk analyses?
Rapid and simple to use
Provide general prioritisation to help direct management
Accord more with common sense
71
What are the disadvantages of a qualitative approach to risk analysis?
Can be turn-off to quantitative style of management
| Where many HH risks are identified, further prioritisation may be needed
72
Whether for quantitative or qualitative approaches to risk analysis, list some sources of information that may be used to help establish likelihood and impact
```
Historical records
Relevant experience
Industry practice and experience
Relevant published literature
Market research
Experiments and prototypes
Economic, engineering or other models
Specialist and expert judgments
```
73
When trying to establish likelihood/impact, list some techniques that could be used to gather data
Interviews with relevant experts
Use of multidisciplinary groups of experts
Individual evaluations using questionnaires
Computer and other modelling techniques
Fault trees and event trees
74
When evaluating risk, it is important to distinguish between the evaluation of i--- risk and r--- risk
Inherent and residual
75
What constitutes the difference between inherent and residual risk?
The measure of the effectiveness of the risk management responses
76
What factors may affect risk appetite?
```
Organisation size
Organisation environment
Organisational culture and ethos
Organisation's products and services
Stakeholder desires
Competitors activities
Knowledge and experience of staff
Legislation and regulation
```
77
In non-financial businesses, a q--- concept of risk appetite based on subjective preferences may be more helpful
Qualitative
78
With reference to risk appetite, what are the six postulates of RISK COMPENSATION THEORY?
Everyone has propensity to take risks
Propensity varies from individual to individual
Propensity influenced by potential rewards of risk taking
Perceptions of risk influenced by experience of accident losses
Individual risk taking decisions balance risk perception against propensity to take risk
Greater risk taken, on average the greater reward or loss
79
Who should dictate the overall risk appetite within an organisation?
The board of directors
80
Why should an organisation identify its risk appetite?
So that decisions about responses are weighed against agreed criteria
81
If the board's perspective on risk is to prevail over the perspectives of local management, what should be in place?
Clear risk policies
82
List five downsides to a risk averse approach
Failure to treat risks
Leaving critical decisions to other parties
Deferring decisions which organisation cannot avoid
Selecting option because it represents a potential lower risk regardless of benefits
Avoiding or ignoring risk regardless of information available or cost of treating risk
83
What are the main types of risk response?
```
Terminate
Tolerate
Transfer
Treat
(Exploit)
```
84
What are the two main internationally known control frameworks?
```
COSO framework
CoCo framework (Criteria of Control of the Canadian Institute of Chartered Accountants)
```
85
What is COSO's definition of internal control?
A process
Effected by an entity's board of directors, management, and other personnel,
Designed to provide reasonable assurance
Regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
Safeguarding of resources
86
What are the five components of the COSO integrated framework?
```
Control Environment
Risk assessment
Control activities
Information and communication
Monitoring activities
```
87
What are the four fundamental concepts of internal control implied in COSO's definition?
```
Internal control:
An integrated process
Effected by people (so imprecise)
Provides only reasonable assurance
Geared to achievement of objectives
```
88
What are the four categories of control by TYPE?
Directive
Preventive
Detective
Corrective
89
Give some examples of DIRECTIVE controls
```
Plans and objectives
Policy statements
Processes, procedures and guidance manuals
Signage or traffic lights
Training programmes and CPD
```
90
Give some examples of PREVENTIVE controls
```
Physical or logical access controls
Segregation of duties
Protective clothing
Vetting of job applicants
Security guards
```
91
Give some examples of DETECTIVE controls
```
Fire or smoke detectors
Account reconciliations
CCTV cameras
Supervisory checks
Asset or stock checks
External audit
```
92
Give some examples of CORRECTIVE controls
```
Insurance policies
Business continuity plans
Recovery of overpayments
Refresher training
Conduct and disciplinary activity
```
93
What are the eight categories of control by FORM?
```
SOAPMAPS
Supervisory
Organisational
Authorisation
Personnel
Management
Accounting
Physical
Segregation of Duties
```
94
What four key attributes of an accounting system should ACCOUNTING controls address?
```
CAVA
Completeness
Accuracy
Validity
Authorisation
```
