Acronyms Flashcards
RASP - what is it? What does it stand for?
RASP provides details of the risk management framework and helps define risk management context.
R = "Risk" A = Architecture (as in Risk Architecture. Committees, roles responsibilities etc.) S = Strategy (as in the RM philosophy, appetite, how its embedded) P = Protocols (tools, techniques, assessment procedures)
CHOC - what is it? What does it stand for?
CHOC are the 4 different CATEGORIES of risk used by Hopkin.
C = Compliance Risks: Minimize these. H = Hazard Risks: Mitigate these. 'Pure Risk'. Impact always negative O = Opportunity Risks: Embrace these. 'Speculative'. Impact has the potential to be positive. C = Control Risks: Manage these. 'Speculative'. Impact uncertain.
FIRM - what is it? What does it stand for?
FIRM Is an example of a Risk Categorisation approach that can also be used when developing a ‘Scorecard’ fir Risk.
F = Financial - Internal (the way money is managed, profitability) I = Infrastructure - Internal (efficiency of processes) R = Reputational - External (perception) M = Marketplace - External
Other categorisation approaches include PESTLE (best used for Hazard Risks), or the COSO ERM approach (SORC). Could also overlay CHOC
The 4N’s of Risk Maturity - what are they?
The 4N’s relate to Risk Maturity Model - The “Status Levels” or “Stages” of Risk Maturity. Each stage matches well with a level of embedment under FOIL
Naive - Fragmented ERM embedment
Novice - Organised ERM embedment
Normalised - Influential ERM embedment
Natural - Leading ERM embedmetn
FOIL - what is it?
FOIL relates to the characteristics of Risk Management (or ERM) embedment in an organisation
F = Fragmented (legal and compliance only, e.g. HSE) O = Organised (coordinated and planned across all types of risk) I = Influential (ERM is now influencing process and behaviours) L = Leading (Risk is a substantial factor in decision making)
Different levels of embedment are often seen accompanied by a level of Risk Maturity in an organisation which are the ‘4 N’s or Risk Maturity’
PACED - what is it?
PACED are the 5 Principles of a Risk Framework (what a successful ERM initiative and Framework should be / ‘what does good look like’)
P = Proportionate (to the level of risk in an org) A = Aligned (with other business activities) C = Comprehensive (systematic, structured) E = Embedded (within the business, procedures etc.) D = Dynamic (iterative and responsive to change)
While ‘PACED’ shows ‘what good looks like’ ‘MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve
MADE2 - what is it?
MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve.
M = Mandatory requirements will be met (rules, regulations, laws etc.) A = Assurance that control activities are working and are 'PACED' D = Decision making will be able to use appropriate risk based information E(2) = Effective and Efficient core processes, which will help achieve 'STOC' (strategic, tactical, operational and compliance objectives)
STOC - what is it?
STOC are the core processes of an organisation
S = Strategy (what the org intends to achieve and how it plans to achieve it) T = Tactics (the means by which Strategy will be delivered) O = Operations (the actual activity) C = Compliance (the processes, protocols and procedures in place to ensure mandatory obligations are met)
PESTLE - what is it?
PESTLE is another Risk Classification system (like FIRM, or SORC).
P = Political (Tax policy, employment laws, regulations) E = Economic (Growth, Interest Rates, Inflation, Credit) S = Sociological (Norms, cultures, age distribution) T = Technical (Disruption, barriers to entry, tech changes) L = Legal (changes to laws impacting business) E = Enviromental (or Ethical)
Best applied for HAZARD risks and EXTERNAL risks - and less applicable for financial, infrastructure, reputational.
Also good to use PESTLE within an assessment workshop. The ‘orange book’ recommends doing a SWOT against each PESTLE category.
The 4 T’s - what are they?
The ‘4T’s’ relate to the ‘Risk Response’ and specifically the methods to treat HAZARD risk.
Tolerate - Low Impact, Low Likelihood
Treat - Control or reduce Low Impact, High Likelihood (most common response)
Terminate - Impact is too high, likelihood is too high … just need to stop the activity.
Transfer - High impact but low likelihood. This is via Insurance or other contractual arrangements to offload some risk
Risk responses for Strategic Risks use the 4Es and 5Es approach.
p.175
4E’s and 5E’s
Both are used a Risk Responses for Strategic Risk or Opportunity Risk.
4E’s :
Exploit (High Reward, Low Risk … until competitors arrive)
Exist (Low Reward, Low Risk … in maturing markets)
Explore (Low Reward, High Risk .. entrepreneurial opportunities)
Expand: (High Reward, High risk … depending on risk appetite and capacity (see 5Es)
5E’s: works as a flow chart and adds to ‘expand’ by saying ‘Expand if you can - if you have resources and appetite - or Exit if not - which may still be for a profit).
Start at Explore (high risk, low (current) reward), move up to Expand OR move up again to Exit, then shift left to Exploit, then shift down to Exist.
SORC and the COSO Cube
The ERM version of the COSO cube was produced in 2004.
COSO = Committee of the Sponsoring Organisations of the Treadway Committee (2004)
SORC = is the top of the cube and are the 4 Categories of Corporate Objectives (similar to STOC).
S = Strategic (high level goals) O = Operations (effective and efficient use of resources) R = Reporting (need to report reliably) C = Compliance with laws.
The front of the cube shows the Risk Management approach aligned to how management runs and organisation
LILAC
LILAC is how a Risk-Aware Culture is achieved, through:
L = Leadership: Strong leadership on strategy, projects and operations. I = Involvement: of all stakeholders in the risk management culture. L = Learning: and emphasis on training in risk management procedures and learning from events. A = Accountability: for actions and deliverables (but not a 'blame culture' C = Communication: and openness on issues and lessons learnt.
CoCo and the 4 components of CoCo
is the ‘ Canadian Criteria of Control’ framework.
It is a framework to measure, or benchmark, the quality of the Control Environment, known as the ‘internal environment’ in the COSO cube. The quality of the control environment is also a very good indicator or overall ‘Risk Culture’.
The 4 CoCo Components are:
1) Purpose: Sense of direction / what are we here for?
2) Commitment: Sense of identity / do we want to do a good job?
3) Capability: sense of competence / what actions do we need to take?
4) Monitoring & Learning: sense of evolution / what’s next / how do we get better?
Also know LILAC as another indicator or benchmark for Risk Culture.
SOx … what are the two to know
Step 1: get the data right … SOx 302 - Full and accurate disclosure of all information about the organisation (validated). All data produced by an organisation must be validated.
Step 2: get the data audited … SOx 404 - Accurate reporting of results to a higher authority (must be audited).
Context is with Risk Management Reporting and the Responsibilities of the Board.
SOx recommends use of COSO
The 4c’s ..
4C’s relate to ‘Attitude to Risk’
Comfort - what risks are you comfortable to take? (one of the lows … either low impact or VERY low likelihood)
Cautious - a band through the middle
Concerned - a band a bit more ‘upper right’
Critical - far right … high impact (to that business) and likelihood.
Can be an alternative to ‘Appetite’ but ‘Attitude’ can be the longer term overall attitude to particular types of risk while “Appetite” is the more immediate need (or willingness) to take a specific risk
CSFRS
Just a range of stakeholders.
Customers Suppliers Financiers Regulators Staff
ISO Guide 73 - Stakeholders: “a person or group concerned with, affected by, or perceiving themselves to be affected by an organisation”
CASE
relates to Reputation (reminder … ‘get off my case’ I have a good reputation).
A good reputation means customers or clients will be willing to do business with you.
C = Capabilities - A clear purpose, strategy and the ability (and resources, skills) to deliver it. A = Activities - What the organisation does, what sectors it operates in S = Standards - What are the levels of quality, service, support etc. that you deliver E = Ethics - what levels of ethics do you hold selves to, is it regularly monitored and reported on ( improved)
Reputation is a component of the FIRM risk scorecard (the R)
4P’s
Are the 4 sources of hazard risks or ‘categories of operational disruption’ (which you ‘mitigate’)
People - lack people / skill / behaviours / absence
Premises - unable to access / contamination / theft or loss of physical produce
Process - IT / Communications / Hackers / Transport Systems
Products - Poor product or service quality / supply chain issues
Reminder: CHOC Risks Compliance - Minimise Hazard - Mitigate Opportunity - Embrace Control - Manager
PCDD
4 Types or Hazard Control (a heirarchy)
P = Preventive (Terminate) stop these high risk high impact events happening. ‘The most important type of control’ (also eliminate, remove, substitute)
C = Corrective (Treat) … the next best option ..you know these happen (lower impact, high probability) make sure you can limit their scope or limit the impacts … barriers or guards - even passwords (to stop access) are corrective … simple and cost effective
D = Directive (Transfer) relies on people or training to act / operate / behave in a certain way to prevent occurrence.
D = Detective (Tolerate) keep an eye on these, make sure you are able to detect them when they occur. E.g. a stocktake detects minor theft after it occurs. Health monitoring detects lead exposure after it occurs
8Rs
The 8Rs and 4Ts are a ‘basic representation of the Risk Management Process”
The 8Rs:
Recognition
Rating
Ranking
Responding (with the 4Ts: Treat, Tolerate, Terminate, Transfer)
Resourcing (of controls)
Reaction (planning and event management)
Reporting (and monitoring of risk performance, actions, events, issues)
Reviewing (of the RM system, including architecture, strategy and procedures)
CRAM
Risk Practitioner Competencies and the PEOPLE skills required
C = Communication (written, oral, presenting) R = Relationships (influencing, networking, negotiating) A = Analytical (and strategic skills) M = Management (manage, lead teams & projects)
Also need to have TECHNICAL skills related to a Risk Management Framework "PIML" P = Planning I = Implementing M = Measuring L =Learning
CORR
Are the components of the business model:
C = Customer (segments & markets, marketing & sales) O = Offering (the customer value proposition and the value being provided to the customer) R = Resources (data, capabilities and assets of the biz) R = Resilience (reputation of the business and financial resilience)
Note that Reputation is a big component of Resilience (and is represented by CASE … Capability, Activities, Standards, Ethics)
VMOST
Vision & Mission
Objectives
Strategy
Tactics
OCK
3 Ways that Risks can be attached
O = Objectives C = Core Processes K = Key Dependencies and stakeholder expectations
Objectives - most common approach but has shortcomings unless objectives are very clearly thought through and understood. Can fail to truly capture all risks
Core Processes - STOC (Strat, Tat, Ops, Compli)
Dependencies - ‘what are the features or components of the organisation AND it’s external context that are key to success) (actually a SWOT) and THEN how can these be impacted. Useful to attached dependencies to a FIRM categorisation
What is Loss Control?
Loss Prevention (LHS of bowtie) = reduce likelihood
+
Damage Limitation (middle of bowtie / event) = reduce magnitude of the event (while is is occurring) (eg Sprinkler systems)
+
Cost Containment (RHS of bowtie) = reduce subsequent impact and consequences)
FOSH
is the IRM classifications of Risk (actually FSOH)
Financial
Strategic
Operational
Hazard