Chapter 12 Flashcards
12.1: What are the common causes and effects of loss events?
The causes of loss events are typically due to one or more of the following:
- people (human error, negligence and criminal acts);
- processes (poor process design, excessive reliance on fallible human input or breakdown);
- systems (systems failure); and
- external events (weather, politics, terrorism or economic events).
The effects of loss events are:
- loss of resources (asset damage or loss of cash);
- loss of human resources (injury, ill health or death); and
- loss of reputation, including customer goodwill.
12.2: Under what circumstances may risk be tolerated? Contrast this with termination.
Risks may be tolerated where they are known and accepted. Usually this will mean that the level of risk exposure is
considered to be within the agreed appetite for the risk in question. Alternatively, a risk that exceeds appetite may be
tolerated because it is not cost effective to control the risk further and termination is not an option.
To accept a risk, it is important to have a good understanding of the level of exposure, in terms of probability and impact.
The decision to tolerate should be approved by management. The greater the level of exposure to be tolerated the more senior should be the level of management approving the toleration.
Termination is the decision to terminate exposure to the risk in question. Termination often means that operational
activities or premises are closed down. This may not be possible where these activities or premises are important to the
organisation and necessary for it to achieve its objectives.
12.3: Categorise the following controls using the PCDD approach:
* smoke alarm
* financial reconciliation
* internal audit action plans
* insurance
* building security
* IT acceptable use policy
- smoke alarm – Detective
- financial reconciliation – Detective
- internal audit action plans – Directive
- insurance – Corrective
- building security – Preventive
- IT acceptable use policy – Directive
12.4: Distinguish funded from unfunded risk finance
Funded risk financing means putting in place arrangements (such as provisions or contingency loans) to help fund the
financial effects of loss events before these financial effects are incurred. Funding may take place before a loss event
has occurred. It may also take place afterwards, when there is a gap between the occurrence of the event and the
realisation of any financial effects.
Unfunded risk financing means that arrangements are not put in place to fund the financial effects of loss events; it
relies on cash flows and any capital in the balance sheet to pay for any financial effects. Unfunded risk financing may
be accidental, for example, where a financial effect is not identified or assessed inaccurately, or it may be deliberate, for
example where the level of financial effect is considered to be small relative to cash flows or capital or where funded risk
financing is not possible or too expensive.
12.5: How does business continuity planning fit with crisis management?
Crisis management addresses all stages of a crisis from the emergence of the causes of the crisis (which may emerge
days, weeks or years before the crisis event), through to the crisis event and its aftermath.
Business continuity plans help with containment and damage control, and support business recovery. Rapid recovery
should ensure that the continuity of organisational activities is maintained with the minimum disruption. Business
continuity planning is an important control in the crisis management process.