8. The Risk Management Process Flashcards
Objective setting should be an integrated process linking what to what?
Top level corporate planning
To business activities and operations
As objectives are cascaded down the organisation, they become more —
Specific
Objectives should be SMART, which means…
Specific Measurable Achievable Realistic Time bounded
Once objectives have been agreed, they should be — for clarification and referral
Documented
Define risk IDENTIFICATION
The process of determining what events might occur
To affect the objectives of the organisation
And their root causes
Define risk ANALYSIS
The systematic use of available information
To determine the likelihood of specified events occurring
And the magnitude of their consequences
Define risk EVALUATION
The process used to determine risk management priorities By comparing the level of risk against Predetermined standards Target risk levels Or other criteria
Risk ASSESSMENT is composed of which three sub-processes?
Risk identification
Risk analysis
Risk evaluation
Risk identification needs to be set in the context of what three things?
The organisation’s
Environment
Strategy
Attitude to risk
The organisation’s environment includes what six contexts?
Political Economic Socio-cultural Technological Legislative Ethical (PESTLE)
Strategy is how the organisation plans to…
Achieve its objectives
Ideally the risk management process should be — in the organisation
Embedded
What is the aim of risk identification?
To generate a comprehensive list of events
That might affect each business objective
Including the possible causes and scenarios
So that risks are well understood
And their management can be planned and implemented
Risk management needs to be practise at — — within an organisation
All levels
Why does risk management need to be practised at all levels of the organisation?
Because different kinds of risk, different impacts and probabilities are apparent to people at different levels and locations
What are the four high-level methods for identifying risks?
Checklists
Benchmarking
Vulnerability assessment
Scenario planning
An off-the-shelf checklist of sources of risk should include both — and — factors
Internal and external factors
When identifying risk, some organisations use a checklist of areas of impact, such as…
Increased cost Loss of revenue Assets Personnel Reputation Quality Capacity Capability to deliver
In risk identification, what are the limitations of checklists?
Difficult to adapt to organisation’s circumstances
May not prompt identification of NEW risks
In risk identification, BENCHMARKING provides useful — — on other organisation’s risk activities
Comparative information
In risk identification, vulnerability assessment entails what?
- Analysing processes supporting overall business objectives
- Flagging up where failure or opportunities may occur
In risk identification, how does SCENARIO PLANNING basically work?
Analysts review PESTLE trends
And devise scenarios
Assigning a probability of occurrence to each
Each of the four main methods of risk identification may be used in a range of exercises. These exercises may include…
Questionnaires
Brainstorming sessions
CRSA workshops
In risk identification, names some advantages of using risk questionnaires
Standardised risk model can be circulated
Cheap and easy to employ
In risk identification, name some drawbacks to the use of risk questionnaires
Depends on level of understanding of respondents
Tend to ask closed questions
Often drawn up by head of IA and may not have management support
In risk identification, name some advantages of using brainstorming sessions
Creative - may lead to identification of new risks
Uses knowledge and experience of management and staff
In risk identification, name some disadvantages of brainstorming sessions
Unless used as part of broader programme with other techniques, does not lend itself to risk evaluation, analysis, assessment or risk response selection
Where time and management preferences allow, what is the most favoured technique of risk identification?
The risk identification workshop
What elements of the risk management process can the risk identification workshop be used to identify?
All of them: Risks Existing risk management actions Processes for embedded monitoring Additional assurance available to management Evaluation of risks and responses
USUALLY, participants in a risk identification workshop are restricted to…
Top management of a business unit
The value of a risk identification workshop lies as much in participants — — the process as the documentation generated
Working through
Risk identification workshops have the potential to build — — throughout the organisation and provide a sense of — over risks
Risk awareness
Ownership
Name some drawbacks of risk identification workshops
Can be expensive and tie up people for long sessions
Quality of output dependent on level of understanding and commitment
Sometimes impossible to get entire management team together in the required time frame
In risk identification, CRSA is the assessment of risk and controls by —, not just management
Staff
In risk identification, what may CRSA entail?
Anything between a control self-certification signed off by management
Through questionnaires
To a full blown programme of enterprise-wide facilitated risk identification, analysis, evaluation and assessment workshops
In its most simplistic form, what are the three stages of CRSA?
Identify objectives for area and risks
Evaluate responses in place or required
Implement and monitor effectiveness of responses
The right — is critically important for CRSA workshops
Facilitator
An essential pre-requisite for understanding the likely success of a CRSA programme is an understanding of the organisation’s —
Culture
When using CRSA to identify risks, it is essential to obtain proper and full — from the top, to ensure it is taken seriously and acted upon
Sponsorship
Advance — and — are essential for CRSA, to ensure participants understand purpose and process
Planning and preparation
When planning a CRSA, it is important to select experienced and skilled — —
Workshop facilitators
The right — of participants in CRSA ensures contributions are obtained for those who manage, perform and interact with the activities being reviewed
Mix
CRSAs should be organised around agreed — — to prevent dominance by one individual or group
Ground rules
In the course of a CRSA, it is advisable to use a — — control framework against which to assess the effectiveness of the risk management activities in place
Good practice
In the course of a CRSA, it is vital not to miss — — and — — risk responses
Cross-functional
Inter-departmental
The results of a CRSA must be r— to enable appropriate follow-up and ensure agreed actions are pursued to completion
Recording
List the potential benefits of CRSA
Articulates organisation’s attitude to risk and control
Raises awareness of RM at all levels
Transfers ownership of risk to management and staff
Considers risks and controls in a constructive way
Improves motivation and performance
Provides assurance to senior management on effectiveness of existing controls against risks
Improves level of assurance given to external stakeholders
— — risk management involves the board identifying key risks and then circulating to management for review
Top-down
— — risk management involves front line management identifying the key risks and passing them up the line to top management for review
Bottom-up
What are the main advantages of top-down risk identification?
Strategic focus Good buy-in at most senior level Consistency across business units Manageable number of risks Speed
What are the main disadvantages of a top-down approach to risk identification?
Lack of realism
Lack of buy-in at lower levels
Lack of management responsibility for risks or responses
Root causes of risk may elude top management
Superficiality
What are the main advantages of a bottom-up approach to risk identification?
Buy-in at all levels of the organisation
Establishment of management responsibility for risks and responses
Avoids “one-size-fits-all” attitude
Assists in discovering root causes of risk
Wide involvement is seen as best practice in risk identification
What are the main disadvantages of a bottom-up approach to risk management?
Huge volume of detail May be too blinkered by detail Lack of strategic focus Effort required to collect and analyse data Cost, resources and time commitment
In risk analysis, — is the chances or odds of a specific event occurring
Likelihood
Likelihood may be expressed in both q— and q— terms
Qualitative and quantitative
The two types of quantitative expression of likelihood are…
Probability
Frequency of occurrence
What is the advantage of using probability to express the likelihood of a risk occurring?
Simpler to understand
What is the disadvantage of using probability to express the likelihood of a risk occurring?
No reference point in time or in severity of impact
What is the advantage of using frequency of occurrence to express likelihood?
Takes account of impact and expresses likelihood with reference to time
What is the disadvantage of using frequency of occurrence to express likelihood of a risk occurring?
More complex and may be confusing to senior management
In risk analysis, — is the outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain
Impact
What are the three broad approaches to risk analysis?
Quantitative
Qualitative
Hybrid
The quantitative approach to risk analysis expresses risks — relative to each other
Numerically
Describe the steps in a quantitative approach to risk analysis
Financial value of impact estimated
Assessment made on a number of probability factors to which weightings are assigned
Financial value multiplied by various probability factors
Single rating calculated for each risk
Risks ranked by ratings
What are the main advantages of the quantitative approach to risk analysis?
Appeals to quantitative style of management
Clearly ranks risks so that management attention can be focused on key priorities
If only two factors used, risks can be plotted on a graph
What are the disadvantages of a quantitative approach to risk analysis?
Complex and time-consuming when multiple risk factors are analysed
If results contrary to common sense they may be ignored - assessor may fudge results
If ratings include adequacy of controls as probability factor they do not make explicit perceived effectiveness of RM activities
— methods of risk analysis judgmentally rate risks relative to each other with descriptive adjectives such as high, medium or low
Qualitative
Generally, qualitative risk analyses consider only two risk factors, — and —
Impact and likelihood
How may impact be rated when using a qualitative method of risk analysis?
High, medium or low
Within broad financial bands
According to non-financial impacts (e.g., minor injury, serious injury, single fatality, etc)
What are the advantages of qualitative risk analyses?
Rapid and simple to use
Provide general prioritisation to help direct management
Accord more with common sense
What are the disadvantages of a qualitative approach to risk analysis?
Can be turn-off to quantitative style of management
Where many HH risks are identified, further prioritisation may be needed
Whether for quantitative or qualitative approaches to risk analysis, list some sources of information that may be used to help establish likelihood and impact
Historical records Relevant experience Industry practice and experience Relevant published literature Market research Experiments and prototypes Economic, engineering or other models Specialist and expert judgments
When trying to establish likelihood/impact, list some techniques that could be used to gather data
Interviews with relevant experts
Use of multidisciplinary groups of experts
Individual evaluations using questionnaires
Computer and other modelling techniques
Fault trees and event trees
When evaluating risk, it is important to distinguish between the evaluation of i— risk and r— risk
Inherent and residual
What constitutes the difference between inherent and residual risk?
The measure of the effectiveness of the risk management responses
What factors may affect risk appetite?
Organisation size Organisation environment Organisational culture and ethos Organisation's products and services Stakeholder desires Competitors activities Knowledge and experience of staff Legislation and regulation
In non-financial businesses, a q— concept of risk appetite based on subjective preferences may be more helpful
Qualitative
With reference to risk appetite, what are the six postulates of RISK COMPENSATION THEORY?
Everyone has propensity to take risks
Propensity varies from individual to individual
Propensity influenced by potential rewards of risk taking
Perceptions of risk influenced by experience of accident losses
Individual risk taking decisions balance risk perception against propensity to take risk
Greater risk taken, on average the greater reward or loss
Who should dictate the overall risk appetite within an organisation?
The board of directors
Why should an organisation identify its risk appetite?
So that decisions about responses are weighed against agreed criteria
If the board’s perspective on risk is to prevail over the perspectives of local management, what should be in place?
Clear risk policies
List five downsides to a risk averse approach
Failure to treat risks
Leaving critical decisions to other parties
Deferring decisions which organisation cannot avoid
Selecting option because it represents a potential lower risk regardless of benefits
Avoiding or ignoring risk regardless of information available or cost of treating risk
What are the main types of risk response?
Terminate Tolerate Transfer Treat (Exploit)
What are the two main internationally known control frameworks?
COSO framework CoCo framework (Criteria of Control of the Canadian Institute of Chartered Accountants)
What is COSO’s definition of internal control?
A process
Effected by an entity’s board of directors, management, and other personnel,
Designed to provide reasonable assurance
Regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
Safeguarding of resources
What are the five components of the COSO integrated framework?
Control Environment Risk assessment Control activities Information and communication Monitoring activities
What are the four fundamental concepts of internal control implied in COSO’s definition?
Internal control: An integrated process Effected by people (so imprecise) Provides only reasonable assurance Geared to achievement of objectives
What are the four categories of control by TYPE?
Directive
Preventive
Detective
Corrective
Give some examples of DIRECTIVE controls
Plans and objectives Policy statements Processes, procedures and guidance manuals Signage or traffic lights Training programmes and CPD
Give some examples of PREVENTIVE controls
Physical or logical access controls Segregation of duties Protective clothing Vetting of job applicants Security guards
Give some examples of DETECTIVE controls
Fire or smoke detectors Account reconciliations CCTV cameras Supervisory checks Asset or stock checks External audit
Give some examples of CORRECTIVE controls
Insurance policies Business continuity plans Recovery of overpayments Refresher training Conduct and disciplinary activity
What are the eight categories of control by FORM?
SOAPMAPS Supervisory Organisational Authorisation Personnel Management Accounting Physical Segregation of Duties
What four key attributes of an accounting system should ACCOUNTING controls address?
CAVA Completeness Accuracy Validity Authorisation
What is the starting point for the risk management process?
Business objectives
