CHAPTER 4 Flashcards
(129 cards)
1
Q
What is the first step in the risk managemnt process
A
Effective risk identification
2
Q
Whatis risk mangment within an org
Not a separate unit but
A
Its an integral to and indivisibl from strateguc and operatonal managemnt
3
Q
When examining risk information what is the first informaton we need
A
We need a list of risks, and arrange them in some order of importance
4
Q
What risks do we need to identify
A
Thise that affect our organisation , and we need to identify as many of those risks as possible, the more risk we identify the better prepared we can be
5
Q
How will a risk department need to identify risks
A
They need to identify in a logical and cost effective manner
6
Q
What are the internal intelligence sources to enable us to identify risks
right accross our organisation
A
-People
-Meetings
-Committees
-Documents
-Database
-Observation
7
Q
Apart from personnel associated with audit and complaince function, what are other roles that may have managment of risk considered to be part of their role
A
-design engineers
-facilities manager
-project managers
-legal offiers
-product development manager
-company secretary
8
Q
How will a formal meeting be recorded
A
The outcome of a formal meeting will be recorded in a document known as minutes
9
Q
What will a properly written minutes allow
A
It will allow people absent from the meeting to learn about key decisions or activities that were made
10
Q
What is a committee
A
A nominated group of people holding meetings for a particular reason
11
Q
Whic department shall be involved in all committes that discuss risk
A
The risk department
12
Q
What will a board risk subcommittee be authorised to fulfill
A
They will be authorised to fulfil baord responsibilities regarding risk
13
Q
What is the purpose of an audit subcommittee
A
The purpose is to stand back from the organisaion’s functional executives and take a view on the behaviour of its manages and effectiveness of business controls
14
Q
As the audit committee is discussing strategic risk controls what should the risk department do
A
The risk department should either be present or at the very least be required to report on the risk eposures to the committee
15
Q
What will bring benefits to both audit subcommitte and risk department
A
Cooperation and goof relation ship
16
Q
What are some examples of useful documents for risk information
A
-Proposal papers
-Auditors repots
-Insurance documents
-Proceudres manuals
-Historic risk reports
17
Q
What are proposal papers
A
These are documents produced to support request for approvl
18
Q
What do proposal papers set out
A
They set out background information leading to the request and the implication of its approval, predicted benefits will empasized and investment needed wil lbe detailed, They might highlight risks involved
19
Q
What are auditors reports
A
These are douments recording the findings of audit activity
20
Q
What are large organisations required by law
in terms of auditing
A
They are required to have an annual financial audit by a qualified external accountant
21
Q
Some of regulatory authorities within UK financial services look at audit as
A
As evidence of goon managment contorl
22
Q
apart from financial audits, what are other types of audits
A
- Quality audits
- Audits to ensure conformance with written working proedures
23
Q
Non financial ausits are internally authorised by
A
-Senior Managers
-The board
24
Q
What is the purpose of audit
A
The purpose is to check that proper output is bing produced, ir being accurate financial information of ull specification product
25
Auditor's report comments on
The reliability of procedures, checks and control and may higlighy unnecessary risk for managemnt attention
26
What confidence do audits give
They give directors confidence that they can trust information presented to them and a measure of probability that planned outcomes will be achieved
27
What is the policy schedule
This is a place where the policy is made personal and specific to the insured
28
What details does thepolciy schedule have
-Insured's name
-Insured's address
-Policy period
-Premium
-Detail of the subject matter
-Sums insured or limit of liability
-Territorial limits
-Policy numner
-Reference to specia excluson/condition/aspet of cover
29
What do syrveys assist with
| in insurance
They make comments about exposures and may include recommendaton to improve the control of risk
30
What are procedures manual
These are documents that set out procedures and methods to be followed by personnel working on various areas
31
Why should risk department take detailed interest in procedures manuals
This is because this is where procedureal risk management is implemented
32
Who will maintain records of individual risks
-Individual managers
-Risk Deparment
33
Why do most organisation keep record in databases
They do so to make use of serch facilities and for ease of record retrieval
34
Why is database separate from documents
This is becasue database implies continuos updated information sources, and documents are essentialy snapshots reports associated with a specific date
35
What are some externa sources of information available to identify risks in many different areas
-Gov't org or org's linked to the govt
-B'ness and professiona institutions
-Insurers and related orgs
-Database
-Emergency ervices
-Consultants
-Newspapers and Magazines
-Company reports
-Conferences
36
Gov't orgs and orgs linked to gov't ublish a wide selection of material that concentrate on
They usually concentrate on general risk information of interest to multiple orgs or general information on speific risk categories
37
Business and professional institutions publish useful information on
They publish on best practice, standards, audits, managment and governance issues. They also contain,hold surveys and pblish ase studies of topicl corporate incients
38
Insurers keep records of
They keep records of historical claims and more than happy to discuss individual claim files ad lessons to be leant from incidents that gave rise to claims
39
What do insurers also publish
They publish general risk related materials including research findings
40
Why are loss data sharing consortia common in financia institutions
They are common as they help reduce operational risk
41
What is Operational RIsk Consortium(ORIC)
This is a quality controlled loss database to support risk managment activities for insurers
42
The Operational RIsk Consortium(ORIC) hold informaton on
It hold info on operational riski.e losses due to failed peopleprocesses/systems/eternal events
43
The Operational RIsk Consortium(ORIC) aims to improve
It aims to improve the risk measurement and modelling skills of its members
44
Emergency services provide information on
It provides info on risk and trends in risk
45
What do consultants range from
They range from knowledgeable individuals with special skills to subsdiaries of insurers or brokers and global corporations with vast resources and contacts
46
What do consultants bring to a project
They bring focused, current information, specialist skils or additional resources to a project
47
Employing consultant should be subject to
subject to a stringent cost benefit asessment as this is a risk itself. More particularly focused on contract terms determining responsility for detrimenta outomes after using information or following their advise
48
What is the advantage of conferences
They have a way of bringing together people intersted in specialist subjects in a non-confrontiona environment
49
What are ways of collecting internal information
-A tour
-Automatic information gathering
-Collecting information from documents
50
what is a time well spent for ay risk professional
A tour of an org
51
An efficient organisation tour should inclue
-visits to various shop floors
- interviews wih key operational and faciltiies managers
- Get to know as many as you can and try to make them your frientds
52
During tour by getting to make friends with key operational and facilities managers, how will this help
| an internal information collector
They will be able to provide org's chrts and process flow charts for those areas in which they are involved in
-They can explain what their unit does, how it does it where, in theri view ie their exposures
53
information that is gathered in a tour will be
a starting point for understanidng risks and impact
54
who is often the responsibility for highlogting procedural risk for an individual worker
The risk department, particularly where practices/personnel have changed in or around a long established unit
55
To enabe routine risk information collecton what should there be
There needs to be a proactive managment information sysem developed specifically for use by the risk department
56
How does autmatic informarion gathering process begin
Process begins with an effective method of ensuring that all necessary information is bought into the department and is digested and turned into a useful managment tool in a properly structured way
57
What will make automatic information gathering effective
The procudures for collecting risk information must be clearly documented and issued wth the authority of the managing direcor or ceo
58
For collecting automatic information what proceudres must be followed for risks and potential hazards
There must be a recognised procedure for olleting specific information about risks that materialize into incidents and recording potential hazards reported by individuals
59
The recognised procedures for collecting informtion on risks materialising into incidnts and recording potential hazards must clarify
These procedures must clarify how incidents are to be logged and what supporting data is required
60
For large multinational organisation its an enormous tas to identiyf and keep track of risk data, thus
The data collected must be carefully selected, must be relaible,complete, accurte, with a system in place to prevent falsifiation,alteration or loss
61
What is the most important thing on data collected from automatic information
The data must be useful and used in subsequent analysis and reports
62
Its important for risk department to form good relationshis with operational managers throughout an org because
These managers will influence the attitude of people that are nominated to report risk data and in turn will directly affect the quality of rik imformation they collect
63
How are useful risks data collected completely eletronically
Where plant or processes are highly automated or digital sensors are involved
64
Whats an example of where data is electronically collected
Security camera operations
Flight data/black box
65
For collecting information from documents, what are the selected documents
They will include minutes of relevant meetings, like meetings specificlly to discuss risk, meeting on key policy and meetings where strategic option are likely to be discussed
66
why are discussions on security risks and some commercia risks geerally exclued from the minutes of meetings
This is because publishing risk information might alter the risk concerned
67
What is our best soure of eternal information
The internet
68
What is required to be done on external information collected on paper
Paper has to be scanned/sorted/processed in exactly the same way as paper information collected internally
69
Information from the interent comes in which fomr
Machine-readable form
70
External sureys are used extensively to
They are used to measure customer satisfaction and collect information for marketing use
71
Before processing data what is a question we must address
Is the data relaibla and does it change
72
What does processing unreliable data lead to
This leads to wrong concludiond being drawn, followed by bad managment advise and wrong decisions being made
73
What should we do if we cant guarantee that our data is trustworthy
This must be explicitly stated in all subsequent reports and recommendations based on that information, explaining why we thing the data us likely not to be trustworthy
74
Risk professional must be aware that there s apossibility of deliberate information falsification even, what would be the reason behind this
People may be trying to look good, or to provide optimistic results or hide partiular risks,other peole may have persona issues, disputes or grudges to resolve
75
Information change can be in
It can be in personnel, products and market places or in the many dfiferent ways in which products or services are delivered
76
Risk department must keep adequate detailed records in what form
| information change
In a form that facilitates information search,retrieval and analysis
77
What other records must risk department keep
They must keep records of analyses performed that led to critical decisions being taken
78
What are methods of risk identification
-Organisation Charts
-Flow Charts
-Checklist and questionnaires
-Physical inspection
-Brainstorming and workshops
-fault trees
-Hazard and operability studies
9HAZOP)
79
Why is an organisation chart useful
It's useful as it demonstrates the organisation's activities and organisational structure
80
An organisation chart can be extended beyond the organisation to reflet
This will reflect where there are critical suppliers among thirdparties or other group deparments
81
Why will a risk team need considerable people skills
| on organisation charts
This wil be ideal to sell ideas and convinve reluctant audiences
82
What doe a flow chart give and shows
It begin to gives a clear picture of risks carried and begin to show in detail how the impact of a risk incident will be felt through out an org
83
What does flow chart picture
It pictures the route taken by all crucial ingredients of the final products through to completion and final delvery
84
The logic of a flow chart is essntial tool when
Wheneer there are a range of products and services that are necessary key ingridients of the final products
85
How can flow charts be in a large organisation
They can be extremely large and complicated
86
In a large organisation if the chart is too large then
It an be sensible divided ito managable sections then consideration shoud be given to profuin several charts eah for a different type of informaton
87
How can questionaires be used
- Method of collecting risk data
- - Cn be used to start quantifying risk
88
What are straightforward and ommonly used tools for risk idnetification
Checklist and Questionnaires
89
Checklist and Questionnaires are useful as
-as an aide-memire to the risk team directly
-if risk team need to delegate info gathering to others
-to bring info that may have been gathered in different places nack together in a common format
90
Checklist and Questionnaires are useful as
-as an aide-memire to the risk team directly
-if risk team need to delegate info gathering to others
-to bring info that may have been gathered in different places nack together in a common format
91
What is a disadvantage of giving a questionnaire
The answes completed by the person will be directed by the uestions, they may not appreciate the need to add additional info that could in particular circumstances be crucial
-Are the answers precisely clear to thse who need to answer it or could there be 2 interpretation
92
What are the benefits of checklist and questionnaire
They can be extremely efficient way to get basi information from a large numbe of different locations and people
93
Why are trial runs with representative people important parto fquestionnaire design
This is becasue the feedback can help in the final design before release to the wider audience
94
What are the main differences between questionnaire and checklist
-Questionnaire is sent to someone else to complete
-A checklist is something that simply promprs a profesional or another to give answers in a particular way
95
why do questionnaires use checklist
They do so to limit possible answers to a question so that results are more easily analysed by computer
96
What is another common use of checklist
The survey report forms used by riks surveyors
97
A good questionnaire and checklist will solicit
A series of simple answers that can be easily processed by computer but it will also allow enough space for the user to complement these answers with comments, opinions and suggestions.
98
What does the design of checklist need to take into account
It needs to take into account the technical skills of the user
99
Why does survey fulfil a dual role
It has the role of identifying risks and also begins the job of managing them
100
What is brianstorming and workshops
This involves a group selecting a topic for discussion and recording as may ideas as possible
101
How are the brainstorming session
They are ussually informal and unstructured, their main focus is freedom of expresssion and quantity of ideas rather than quality
102
In brainstorming sessions a professiona facilitator may be used whose role will be
To keep a careful balance between time, the agenda and the direction of the conerstion flow
103
What is a desktop excercise in a brainstorming session
When meetings are arranged as an ecercise where scenarios are desribed and partiipants are expected to say how these scenerios migh unfold, jow damaging they migh be and how they could or cold not be managed
104
Desktop excerise is commonly used to help
It helps in developing continuity plans
105
what does desktop excercises highlight
they highlight risks and threats and their potential ipacton a particular division of an organisation. It can explore interdivision dependecnies and importance of these
106
What is an alternative to desktop discussions
To stimulare incidents for people to manage through, thousgh this is expensive aand only appropriae in particular circumstances, usually when loss of life is at stake
107
What are the useful purpsoes of excersises
| brainstrming and workshop sessions
Useful purpose in familiarizing people with an incident situation so that they cope better if faced with a real emergenct
108
With desktop excercises what do partisipants provide
| brainstorminf and workshop
They provide feeback thpughts and ideas that can be studied and used to help manage future risk
109
When do brainstorming groups gain best value
They do if risk professionals join them as full members or as observers or advisers
110
What does a flow chart illustrate
The chain of events that bring together materials and resourcs to create and deliver an finished produt. It reveals the source of critical parts
111
What does fault trees investigate
They investigate what could cause suppleis to ceae and consider the lkelihood of that happening
112
Fault trees can achieve 2 things which are
-It can look at a flow chart from the POV of risk and begin to assess the chance of a supply chain being broken
-It can look at the risk within a process or piece of machinery and take a view on the potential for damage
113
what does the fault tree not look at
The proess leading to the end result
114
What does the fault tree look at
It tries to understand the potential for a failure to deliver that which is critically needed and the looks backwards to search out the possible cause of that failure, which could be from a single cause or combination of casue
115
How does fault tree analysis begin
It begins with each ingredient then consders whether that ingredient cpuld fail to arrive in a timely way at the point of inclusion,and if so it takes a view on the consequenes
116
Under fault tree analysis what is the premise
The premise is the a production line is an intergrated evolving process whereby there is one time only and one plae only for each part to be added
117
Whne examining what could cause supply to faul, risk professional may also wish to review
To review the quality and resilience of the supplier's factory, the may look at the supplier's own pilocy in sourcing materilas
118
How may an org reduce the potentioa of single points failure
| in the supply chain
They may do so by sourcing ingredients form 2 or more entirely different suppliers, as the risk of simultaneous failure by 2 uppliers is much less if they are geographically separate
119
An org will maintian high focus on which ingredients
High dependency/low availability ingredient
120
What type of ingredients are High dependency/low availability ingredient
These are ingredients that could be a specialist or bespoke product on which the org's own productionline has a high and urgent dependancy. It will look at these dependencies and other events that may cause failure or loss
121
For Fault trees and supply chain the questions are asked to gain
The view of risk and dependencies theseqns can be equally valid within the org and for supplier of critical parts, the issue is continued supply of quality ingredients
122
How will the fault tree help risk managers
Fault tree can highlight individual exposures that help the risk manager to prioritise attention to those risk incidents most likely to occur or risk incidents that would have most signigficant impact
123
What is the Hazard and Operability studies(HAZOP)
This is a metod of quantifting risk that can work well alongside the fault tree
124
How are Hazard and Operability studies(HAZOP)
They are rigorous, detailed and usually contain computerised fault tree analysis of safety critical systems or system components often conducted during their design
125
Where did the Hazard and Operability studies(HAZOP) concept originate
It originated in the chemical industry, it is a qualitative equiry in the operation of a plant from the point of view of hazard
126
Where did the Hazard and Operability studies(HAZOP) addresses the belw 4 questions
-What is the part **INTENDED** to achieve
-What **deviations** are possible from the usually expected delivery
-What could be the **causes** of those variations
-What could be the **consequences** of thse variations
127
When examining the causes in HAZOP, risk department needs to ask 2 important questions
-What event/cause could cause a deviation to that degree?
-What combination of events could cause a decation to that degree?
128
When is HAZOP type study most appropriately carried
It's carried out on a piece of equipment that is understood to be important or to possess safety dangers. This equiment is important to the safety of employees,visitors/neighbours or key pat of a hain of events that delvers the final prouct or service
129
HAZOP studies are often desinged to
They are designed specifically to identify potential worst case scenerios
