CHAPTER 4 Flashcards
What is the first step in the risk managemnt process
Effective risk identification
Whatis risk mangment within an org
Not a separate unit but
Its an integral to and indivisibl from strateguc and operatonal managemnt
When examining risk information what is the first informaton we need
We need a list of risks, and arrange them in some order of importance
What risks do we need to identify
Thise that affect our organisation , and we need to identify as many of those risks as possible, the more risk we identify the better prepared we can be
How will a risk department need to identify risks
They need to identify in a logical and cost effective manner
What are the internal intelligence sources to enable us to identify risks
right accross our organisation
-People
-Meetings
-Committees
-Documents
-Database
-Observation
Apart from personnel associated with audit and complaince function, what are other roles that may have managment of risk considered to be part of their role
-design engineers
-facilities manager
-project managers
-legal offiers
-product development manager
-company secretary
How will a formal meeting be recorded
The outcome of a formal meeting will be recorded in a document known as minutes
What will a properly written minutes allow
It will allow people absent from the meeting to learn about key decisions or activities that were made
What is a committee
A nominated group of people holding meetings for a particular reason
Whic department shall be involved in all committes that discuss risk
The risk department
What will a board risk subcommittee be authorised to fulfill
They will be authorised to fulfil baord responsibilities regarding risk
What is the purpose of an audit subcommittee
The purpose is to stand back from the organisaion’s functional executives and take a view on the behaviour of its manages and effectiveness of business controls
As the audit committee is discussing strategic risk controls what should the risk department do
The risk department should either be present or at the very least be required to report on the risk eposures to the committee
What will bring benefits to both audit subcommitte and risk department
Cooperation and goof relation ship
What are some examples of useful documents for risk information
-Proposal papers
-Auditors repots
-Insurance documents
-Proceudres manuals
-Historic risk reports
What are proposal papers
These are documents produced to support request for approvl
What do proposal papers set out
They set out background information leading to the request and the implication of its approval, predicted benefits will empasized and investment needed wil lbe detailed, They might highlight risks involved
What are auditors reports
These are douments recording the findings of audit activity
What are large organisations required by law
in terms of auditing
They are required to have an annual financial audit by a qualified external accountant
Some of regulatory authorities within UK financial services look at audit as
As evidence of goon managment contorl
apart from financial audits, what are other types of audits
- Quality audits
- Audits to ensure conformance with written working proedures
Non financial ausits are internally authorised by
-Senior Managers
-The board
What is the purpose of audit
The purpose is to check that proper output is bing produced, ir being accurate financial information of ull specification product
Auditor’s report comments on
The reliability of procedures, checks and control and may higlighy unnecessary risk for managemnt attention
What confidence do audits give
They give directors confidence that they can trust information presented to them and a measure of probability that planned outcomes will be achieved
What is the policy schedule
This is a place where the policy is made personal and specific to the insured
What details does thepolciy schedule have
-Insured’s name
-Insured’s address
-Policy period
-Premium
-Detail of the subject matter
-Sums insured or limit of liability
-Territorial limits
-Policy numner
-Reference to specia excluson/condition/aspet of cover
What do syrveys assist with
in insurance
They make comments about exposures and may include recommendaton to improve the control of risk
What are procedures manual
These are documents that set out procedures and methods to be followed by personnel working on various areas
Why should risk department take detailed interest in procedures manuals
This is because this is where procedureal risk management is implemented
Who will maintain records of individual risks
-Individual managers
-Risk Deparment
Why do most organisation keep record in databases
They do so to make use of serch facilities and for ease of record retrieval
Why is database separate from documents
This is becasue database implies continuos updated information sources, and documents are essentialy snapshots reports associated with a specific date
What are some externa sources of information available to identify risks in many different areas
-Gov’t org or org’s linked to the govt
-B’ness and professiona institutions
-Insurers and related orgs
-Database
-Emergency ervices
-Consultants
-Newspapers and Magazines
-Company reports
-Conferences
Gov’t orgs and orgs linked to gov’t ublish a wide selection of material that concentrate on
They usually concentrate on general risk information of interest to multiple orgs or general information on speific risk categories
Business and professional institutions publish useful information on
They publish on best practice, standards, audits, managment and governance issues. They also contain,hold surveys and pblish ase studies of topicl corporate incients
Insurers keep records of
They keep records of historical claims and more than happy to discuss individual claim files ad lessons to be leant from incidents that gave rise to claims
What do insurers also publish
They publish general risk related materials including research findings
Why are loss data sharing consortia common in financia institutions
They are common as they help reduce operational risk
What is Operational RIsk Consortium(ORIC)
This is a quality controlled loss database to support risk managment activities for insurers
The Operational RIsk Consortium(ORIC) hold informaton on
It hold info on operational riski.e losses due to failed peopleprocesses/systems/eternal events
The Operational RIsk Consortium(ORIC) aims to improve
It aims to improve the risk measurement and modelling skills of its members
Emergency services provide information on
It provides info on risk and trends in risk
What do consultants range from
They range from knowledgeable individuals with special skills to subsdiaries of insurers or brokers and global corporations with vast resources and contacts
What do consultants bring to a project
They bring focused, current information, specialist skils or additional resources to a project
Employing consultant should be subject to
subject to a stringent cost benefit asessment as this is a risk itself. More particularly focused on contract terms determining responsility for detrimenta outomes after using information or following their advise
What is the advantage of conferences
They have a way of bringing together people intersted in specialist subjects in a non-confrontiona environment
What are ways of collecting internal information
-A tour
-Automatic information gathering
-Collecting information from documents
what is a time well spent for ay risk professional
A tour of an org
An efficient organisation tour should inclue
-visits to various shop floors
- interviews wih key operational and faciltiies managers
- Get to know as many as you can and try to make them your frientds
During tour by getting to make friends with key operational and facilities managers, how will this help
an internal information collector
They will be able to provide org’s chrts and process flow charts for those areas in which they are involved in
-They can explain what their unit does, how it does it where, in theri view ie their exposures
information that is gathered in a tour will be
a starting point for understanidng risks and impact
who is often the responsibility for highlogting procedural risk for an individual worker
The risk department, particularly where practices/personnel have changed in or around a long established unit
To enabe routine risk information collecton what should there be
There needs to be a proactive managment information sysem developed specifically for use by the risk department
How does autmatic informarion gathering process begin
Process begins with an effective method of ensuring that all necessary information is bought into the department and is digested and turned into a useful managment tool in a properly structured way
What will make automatic information gathering effective
The procudures for collecting risk information must be clearly documented and issued wth the authority of the managing direcor or ceo
For collecting automatic information what proceudres must be followed for risks and potential hazards
There must be a recognised procedure for olleting specific information about risks that materialize into incidents and recording potential hazards reported by individuals
The recognised procedures for collecting informtion on risks materialising into incidnts and recording potential hazards must clarify
These procedures must clarify how incidents are to be logged and what supporting data is required
For large multinational organisation its an enormous tas to identiyf and keep track of risk data, thus
The data collected must be carefully selected, must be relaible,complete, accurte, with a system in place to prevent falsifiation,alteration or loss
What is the most important thing on data collected from automatic information
The data must be useful and used in subsequent analysis and reports
Its important for risk department to form good relationshis with operational managers throughout an org because
These managers will influence the attitude of people that are nominated to report risk data and in turn will directly affect the quality of rik imformation they collect
How are useful risks data collected completely eletronically
Where plant or processes are highly automated or digital sensors are involved
Whats an example of where data is electronically collected
Security camera operations
Flight data/black box
For collecting information from documents, what are the selected documents
They will include minutes of relevant meetings, like meetings specificlly to discuss risk, meeting on key policy and meetings where strategic option are likely to be discussed
why are discussions on security risks and some commercia risks geerally exclued from the minutes of meetings
This is because publishing risk information might alter the risk concerned
What is our best soure of eternal information
The internet
What is required to be done on external information collected on paper
Paper has to be scanned/sorted/processed in exactly the same way as paper information collected internally
Information from the interent comes in which fomr
Machine-readable form
External sureys are used extensively to
They are used to measure customer satisfaction and collect information for marketing use
Before processing data what is a question we must address
Is the data relaibla and does it change
What does processing unreliable data lead to
This leads to wrong concludiond being drawn, followed by bad managment advise and wrong decisions being made
What should we do if we cant guarantee that our data is trustworthy
This must be explicitly stated in all subsequent reports and recommendations based on that information, explaining why we thing the data us likely not to be trustworthy
Risk professional must be aware that there s apossibility of deliberate information falsification even, what would be the reason behind this
People may be trying to look good, or to provide optimistic results or hide partiular risks,other peole may have persona issues, disputes or grudges to resolve
Information change can be in
It can be in personnel, products and market places or in the many dfiferent ways in which products or services are delivered
Risk department must keep adequate detailed records in what form
information change
In a form that facilitates information search,retrieval and analysis
What other records must risk department keep
They must keep records of analyses performed that led to critical decisions being taken
What are methods of risk identification
-Organisation Charts
-Flow Charts
-Checklist and questionnaires
-Physical inspection
-Brainstorming and workshops
-fault trees
-Hazard and operability studies
9HAZOP)
Why is an organisation chart useful
It’s useful as it demonstrates the organisation’s activities and organisational structure
An organisation chart can be extended beyond the organisation to reflet
This will reflect where there are critical suppliers among thirdparties or other group deparments
Why will a risk team need considerable people skills
on organisation charts
This wil be ideal to sell ideas and convinve reluctant audiences
What doe a flow chart give and shows
It begin to gives a clear picture of risks carried and begin to show in detail how the impact of a risk incident will be felt through out an org
What does flow chart picture
It pictures the route taken by all crucial ingredients of the final products through to completion and final delvery
The logic of a flow chart is essntial tool when
Wheneer there are a range of products and services that are necessary key ingridients of the final products
How can flow charts be in a large organisation
They can be extremely large and complicated
In a large organisation if the chart is too large then
It an be sensible divided ito managable sections then consideration shoud be given to profuin several charts eah for a different type of informaton
How can questionaires be used
- Method of collecting risk data
- Cn be used to start quantifying risk
What are straightforward and ommonly used tools for risk idnetification
Checklist and Questionnaires
Checklist and Questionnaires are useful as
-as an aide-memire to the risk team directly
-if risk team need to delegate info gathering to others
-to bring info that may have been gathered in different places nack together in a common format
Checklist and Questionnaires are useful as
-as an aide-memire to the risk team directly
-if risk team need to delegate info gathering to others
-to bring info that may have been gathered in different places nack together in a common format
What is a disadvantage of giving a questionnaire
The answes completed by the person will be directed by the uestions, they may not appreciate the need to add additional info that could in particular circumstances be crucial
-Are the answers precisely clear to thse who need to answer it or could there be 2 interpretation
What are the benefits of checklist and questionnaire
They can be extremely efficient way to get basi information from a large numbe of different locations and people
Why are trial runs with representative people important parto fquestionnaire design
This is becasue the feedback can help in the final design before release to the wider audience
What are the main differences between questionnaire and checklist
-Questionnaire is sent to someone else to complete
-A checklist is something that simply promprs a profesional or another to give answers in a particular way
why do questionnaires use checklist
They do so to limit possible answers to a question so that results are more easily analysed by computer
What is another common use of checklist
The survey report forms used by riks surveyors
A good questionnaire and checklist will solicit
A series of simple answers that can be easily processed by computer but it will also allow enough space for the user to complement these answers with comments, opinions and suggestions.
What does the design of checklist need to take into account
It needs to take into account the technical skills of the user
Why does survey fulfil a dual role
It has the role of identifying risks and also begins the job of managing them
What is brianstorming and workshops
This involves a group selecting a topic for discussion and recording as may ideas as possible
How are the brainstorming session
They are ussually informal and unstructured, their main focus is freedom of expresssion and quantity of ideas rather than quality
In brainstorming sessions a professiona facilitator may be used whose role will be
To keep a careful balance between time, the agenda and the direction of the conerstion flow
What is a desktop excercise in a brainstorming session
When meetings are arranged as an ecercise where scenarios are desribed and partiipants are expected to say how these scenerios migh unfold, jow damaging they migh be and how they could or cold not be managed
Desktop excerise is commonly used to help
It helps in developing continuity plans
what does desktop excercises highlight
they highlight risks and threats and their potential ipacton a particular division of an organisation. It can explore interdivision dependecnies and importance of these
What is an alternative to desktop discussions
To stimulare incidents for people to manage through, thousgh this is expensive aand only appropriae in particular circumstances, usually when loss of life is at stake
What are the useful purpsoes of excersises
brainstrming and workshop sessions
Useful purpose in familiarizing people with an incident situation so that they cope better if faced with a real emergenct
With desktop excercises what do partisipants provide
brainstorminf and workshop
They provide feeback thpughts and ideas that can be studied and used to help manage future risk
When do brainstorming groups gain best value
They do if risk professionals join them as full members or as observers or advisers
What does a flow chart illustrate
The chain of events that bring together materials and resourcs to create and deliver an finished produt. It reveals the source of critical parts
What does fault trees investigate
They investigate what could cause suppleis to ceae and consider the lkelihood of that happening
Fault trees can achieve 2 things which are
-It can look at a flow chart from the POV of risk and begin to assess the chance of a supply chain being broken
-It can look at the risk within a process or piece of machinery and take a view on the potential for damage
what does the fault tree not look at
The proess leading to the end result
What does the fault tree look at
It tries to understand the potential for a failure to deliver that which is critically needed and the looks backwards to search out the possible cause of that failure, which could be from a single cause or combination of casue
How does fault tree analysis begin
It begins with each ingredient then consders whether that ingredient cpuld fail to arrive in a timely way at the point of inclusion,and if so it takes a view on the consequenes
Under fault tree analysis what is the premise
The premise is the a production line is an intergrated evolving process whereby there is one time only and one plae only for each part to be added
Whne examining what could cause supply to faul, risk professional may also wish to review
To review the quality and resilience of the supplier’s factory, the may look at the supplier’s own pilocy in sourcing materilas
How may an org reduce the potentioa of single points failure
in the supply chain
They may do so by sourcing ingredients form 2 or more entirely different suppliers, as the risk of simultaneous failure by 2 uppliers is much less if they are geographically separate
An org will maintian high focus on which ingredients
High dependency/low availability ingredient
What type of ingredients are High dependency/low availability ingredient
These are ingredients that could be a specialist or bespoke product on which the org’s own productionline has a high and urgent dependancy. It will look at these dependencies and other events that may cause failure or loss
For Fault trees and supply chain the questions are asked to gain
The view of risk and dependencies theseqns can be equally valid within the org and for supplier of critical parts, the issue is continued supply of quality ingredients
How will the fault tree help risk managers
Fault tree can highlight individual exposures that help the risk manager to prioritise attention to those risk incidents most likely to occur or risk incidents that would have most signigficant impact
What is the Hazard and Operability studies(HAZOP)
This is a metod of quantifting risk that can work well alongside the fault tree
How are Hazard and Operability studies(HAZOP)
They are rigorous, detailed and usually contain computerised fault tree analysis of safety critical systems or system components often conducted during their design
Where did the Hazard and Operability studies(HAZOP) concept originate
It originated in the chemical industry, it is a qualitative equiry in the operation of a plant from the point of view of hazard
Where did the Hazard and Operability studies(HAZOP) addresses the belw 4 questions
-What is the part INTENDED to achieve
-What deviations are possible from the usually expected delivery
-What could be the causes of those variations
-What could be the consequences of thse variations
When examining the causes in HAZOP, risk department needs to ask 2 important questions
-What event/cause could cause a deviation to that degree?
-What combination of events could cause a decation to that degree?
When is HAZOP type study most appropriately carried
It’s carried out on a piece of equipment that is understood to be important or to possess safety dangers. This equiment is important to the safety of employees,visitors/neighbours or key pat of a hain of events that delvers the final prouct or service
HAZOP studies are often desinged to
They are designed specifically to identify potential worst case scenerios