CHAPTER 5 Flashcards
How do we decide how to manage the underlying risk
When we understand all possible consequences of an incident
What is Risk assessment
This is a set of working tools used to examine threats that may bring damage or loss to an org, its responsbitiies and its objectives
What is the purpose of examiing threats
To stimulate decisions as to how those threats are to be managed
What do we need to do to istingus and catalogue risks for comparison
we need to quantify the damage that could result if each risk materialised
Combining impacct and probability gives us the basis for
Basis for risk comparison and ranking
Why does risk assessemen require exploring option for risk control
This is so becasue we need to see what risk reduction precautions are possible
why must risk and their analysis be associated with DATES
This is so that changes can be tracked over time and background to decisions can be revisited and reviewed
How must risk data be kept
Risk data must be kept in an easily understood and accessible file and in a form that allows for info to be used in related exercises like stress testig and risk modelling
The risk database must be able to accomodate
It must accomodate change and allow for measurements to assess effectivenes of controls
What will determine the software tools to be used in managment and future use of data
The size and complexity of data to be stored and intentions
What is risk categorisation
Putting riks into categories and then looking within each category to determine which risks are important and which risks can be ignored
Which risks are not worth investigating and controlling
Those risks whose impact is less than the value of resources employed
Why is risk categorization important
The system are importnat as they enable an org to identify accumulations of simila risks and clarify potential for applying common risk control strategies
Risk categorization system help with
They help organisations identify which strategies, tactics and operations are most vulnerable to anticipated threats
How do orgs decide which categories to use
they decide after considering what the information will be used for
The chosen categories for risk categorisato should cover
They should over all identified risks yet minimise the risk of overlap
Why have attempts to classsify risks been proved difficult in practice
This occurs when more than one casue can contribute to an event.
What isssue In insurance causes a separate category to be warrant
Preserving the liquidity ratuio
What is frictional risk
This covers the effect of changes in legal, accounting, regulatory,credit agency requiements or any similar event that puts u costs above those that would otherwise be reauired
whta is Basel II banking regulations
its another industry specific categorisation
What is a lst of official Base II events
-internal fraud
-external fraud
-employment practices and workpace safety
-clients,products and b’ness practice
-damage to physical assts
-business disruption and systems failures
-execution,delivery and process management
What is COSSO reporting mainly concerned with
Its concerned with the US legal requiremet to report accurate financial data
Financial Risks are concerned with
Risk categorisation systems
They are concerned with internal financial controls, risk related to maney managment, asset values, credit availability, liquidity and financial profitability
What does PESTLE stand for
Politics,Economics, Social,Technologial,Legal and Environment
What does PESTLE break down
It breaks down the external environment in which an org operates
when is PESTL and SWOT used together
They are used together when creating and reviewing strategic plans
Provide examples where PESTLE and SWOT have been used together for a cause
-Market Research
-Strategic analysis
-Mainly for exploring external factors that influence an organisation
What happens if risk categories and subcategories are selected
Compilation of annual reports and other publication for investors become easier, boards are presented with info in a more comprehensive form, questions from regulators,media and other stakeholders are more readily answered
If we want to compare and manage risks what do we need to do
We need to measure consequent losses or gains of risks materialise
When does it become difficult to attach monetary value
In situation of personal consequences like injury and loss of life, loss of reputation, consewuene and destruction of brand value
What are some of the types of daamges involved when measuring ompact of risk
-Health damage,injury or loss of lfe
-Asset Loss
-Time and resources
-Business survival
-Defining impact
-Aggregate Loss
-Risk Aggregation
What should be done to any risk that threatens survival of an org
High priority attentioneven if the probability of it materialising is remote
What are some examples of issues that could affect confidence
-Damage to the credibility of a brand
-concern with regulatory approvals and licenses
-security of intellectual assets
-Mistrusts of strategic direction
what other risk is associated with confidence
Reputation risk, damage to this in most businesses could directly result in loss of potential inome,divestment, loss of market value leading to susbequent takeover and in some cases for large org could result in closyre
How is credit,solvencu and liquidity risks controlled in an org
Affairs must be managed so that assets exceed liabilities and the organisation does not run out of cash
What is loss of credit equivalent to
It;s equivalent to running out of cash if the organisation relies on borrowing for day to day operations
Which oganisation are more prone to third party damages
-Nuclear power operation
-Aviation
-Chemicals
-Oil Exploration
-Transportation
As they can cause widespread human and environmental havoc if things go wrong
What some of the risks that could affect Business Survival
Survival Risks
-High monetary value incidence
-Loss of confidence
-Reputation risk
-Credit,Solvency and Liquidity risks
-Loss of credit
-Third party damage
How to measure risks that impacts cant be measured in financial terms
Defining Impact
Usually the solution is to attach codes to the risk that flag its importance in broad qualitative terms
When measuring non finacial impacts by attachng codes, how are these codes allocated
These codes are allocated after discussion with appropriate managers, e.g it could be a broad categories of assessment like intolerable,high,medium and low
How are money values allocated to the remaining risks after recording non - financial impacts
Impacts can be recorded at net cost or gross cost
When allocating money values to risks, what are net costs
they are costs afer any insurance claims are met ot recoveries from any other risk financing have been made
When allocating money values to risks, what are gross costs
These costs include sums even though they may eventually be recovered
What is maximum prossible loss
This means it’s impossible for quantam of loss to exceed the stated figure
What is maximum probable loss
This means its only proable that the loss will not exceed the stated amount
When must lossess be aggregated
When a risk results in simultaneous multile incidents of damage
When is historical data best used
They are best used to predict future trends if nothing has changed since the data was collected. However this is rarely the case
Withmeasuring probability what can produce output that is misleading
slight inaccracies or variables in input data
The theory of statistical analysis depends on
measuring probability
It depends on their being a minimum number and spread of core incidents to enable the laws of averages to be applied and for clear and usable trends to emerge
What is the prime use of historical data analysis in risk management
The prime use is to determeine expected values or ranges of value for particular ongoing risks
What does the theory of probability set out
It sets out to illustrate likelihood or probability as a numerical value
What does probability tell us
Probability tells us the chande that something might happen in a chosen period of time
When is probability best used
when conidering infrequent high damage risks
What is frequency
Is an expression of how often an event may occur
what is the objective of any method of risk aggregation
To represent diverse risk exposures on a common numerical scale whose sum can be calculated in real time if required
What are some obvious problems in trying to aggregate risks accross an organisation
-wide variety of type of risk involved
-combining qualitative and quantitative info esp qualitative
-different risk apetite thresholds at different levels in multile orgs and functioonal hierachies
-risk not confined to individual hieratches
-relationships between risks
-continually changing b’ness external and internal environment
what may the risk department do if they have to present or publish risk information
They may bring probability and impact together by multiplying the two to create an overall risk factor indicating the size of the risk
What is a risk factor determied by multiplying probabiliyy by potential loss/impact quatnified as
This is quantified as a measure of the possible loss to which an org is exposed as a result of some activity or event
Exposure is well undestood in business often calculated for which things
-liability issues
-property loss/damage
-product demand variation
In insurance how is exposure regulaly tracked
Its tracked in respect of outstanding claims
What does risk ranking hide
It hides the distinction wheter a high level of exposure is due to high probability or impact value
To deal with the issue that arises with risk ranking of hiding the distinction what may one do
They would buld a graphical demonstration of risk, by using a simple matrix format
On face value a simple matrix presentation is a useful way of
Its a useful way of illustrating the relative importance of a number of risks but in practice a typical risk matrices must be treated with a great deal of caution
what are some of the issues faced with a typical risk matrices
-with only a few categories this means that identical ratings can be allocated to quantitatively very different risks
-Error can result in higher qualitative ratings being allocated to quantitatively smaller risks
-Qualitative ranings are subjective rather than objective
What is risk ranking
The process of comparing different risks and presenting them in an order of priority for the use of resources
Risk compariosn is useful in
They are useful in benchmarking, for presentation purposes and to support arguments or explanatin
Risk professionals are strongly advised to familiarise themselves with
They are advised to familiarise themselves with communication and presentation techniques if they want their recommedations to be accepted
What can a careless graphical representation or risk comparison do
They can destroy the credbility of an argument even if it is logically correct
Why is it convineient to adopt a numerical classification of impact
So that risks can be more easily compared
What are risk factor indices
These are some standard classification used by an org to compare the risks they carry
What is an important risk factor indices
Dow Fire and Explosion Index
What is the Dow Fire and Explosion Index designed to do
This index is designed to classify particular hazards that lie within a process in a factory
How does Dow Fire and Explosion work
It applies a predetermiend factor number to hazards within that proess tha re knon to increase overall risk of damage
How is the Dow Fire and Explosion calculaton
The calculation process is staightforward usinf a standarised spreadsheet format
The Dow Fire and Explosion has been proven to be useful in
It has been proven to be useful in determining plant layouts and separation between vessels in chemical process plants
When are risk factor indices likely to be of best value
They are of best value when used to support decisions about prioities and resources to be applied to events that happen reasonably frequntly
When are risk factor indices likely to be of best value
They are of best value when used to support decisions about prioities and resources to be applied to events that happen reasonably frequntly
Risk factor indicies are best used for which estimaton
They are used to estimate likely total cost of a type of incident over a period of time
What is risk apetite
The extent to which an orgnisation will tolerate a risk
Risk Controls can be divided to four broad classes which are
-Preventive
-Corrective
-Directive
-Detective
What is Preventitve measure for risk controls
Measure to stop a risk happening or unwanted outcome arising
What is Corrective measure for risk control
This is a measure to limit sope of loss and reduce any undesirable outcomes that have come about once the loss or damage hs materialised
What is Directive measure for risk control
Controls to ensure particular aim is realised
What is Detective measure for risk control
after th event measures to identify when an incident has happened
Most orgs implement which controls
Preventative controls, these are designed to reduce the possibility of undesriable outcomes
What are corective controls designed to do
They are designed to correct undesirable outcomes that have already occured. They are a means of reocvery against loss or damage
What is continuity planning
This is another corrective control, organisation plan for b’ness continuity and recovery after events which they could not prevent
How is insurance a form of corrective control
It is as it facilitaties financial recovery when an insured risk materialises
What are directive controls used for
They are instructions or regulations designed to ensure that a particular outcome is achieved
What are directive controls commonly associated with
They are associated with health,safety and security. They are important when people’s behaviour can prevent a undesirable event
What are some examples of directive controls
-requirements to wear protective clothing while performing dangerous duties
-staff are trained to certain skill levels before being allowed to work unsupervised
what are checklists, worksheets and test schedules
these are directive controls
Whichindustriies use directive controls best
-Aviation industry
-Oil and gas expliraton
What are detective controls designed to do
They are designed to identify unwanted occurrences that have alreadhy happened and are thus only appropriate ehrn it is possible to accept the loss or damage incured
What are some detective controls
-Stock checks
-Asset Checks
-Reconcilliation
As they can detect theft or similar anomalies
How is reconcilitiona nother technique of detectie control
Reconciliting authorised payments with banks tatements will detect unauthorised transactions
How are audits,inspections and quality quontorl detective
They are because they look for causes of defects in products and procedures with a view to introducing changes in the future
What is market risk
This is concerned with risk of lossess inn tradingpositions arising from movement in market prices
What are the prevention controls in avoiding market risks
The prevention controls aound the managmenet of this risk coudl involve decisions regarding investment strategis
What are the corrective controls in avoiding market risks
They can be insurance and hedging
What are the directive controls in avoiding market risks
Directive controssuch as limiting indivisual trading activities
What are the detective controls in avoiding market risks
The detective controls coulld be adopted such as the org deciding to monitor unusual trading activity over an appropriate time frame
What is credit risk
This is a risk that a counterparty will suffer real or percieved deterioration in financial strength or unable to pay mpunts in full due
What are preventive controls in credit risks
This would include regular credit checks of current and potentia counterparties
What are corrective controls in credit risks
Would include contract terms to safeguard assets held as securtes for loans and use of multiple insurers to protect large potential liabilityes
What are directive controls in credit risks
This wouldl restrict trading to counterparties whose creit has been approved
What is liquidity risk
This is a risk of running out of cash when it is neeed to meet financial obligation
What are preventive controls in liquidity risks
Preventive controls would be strategic decisions on capital reserves and ratios, daily cash management and attention to contract payment terms and debt collection
What are corrective controls in liquidity risks
This would include arranging overdraft facilities, hort trm credit and loan facilities or agreements with shareholders to inject capital at short notice
What are directive controls in liquidity risks
This would be supporting managment in enforcing the discpline required
Cost effectiveness of risk control can be estimated by
This can be estimated by comparing impact of uncontrolled risk with impact of the same risk assuming the proposed control is in place. The difference between the 2 impact assessments must atleast be greater than the ost of implementing the controls
What is a risk register
This is a register of al risk information that is needed to be recorded
What is the aim of a risk register
The aim is to build a complete picture or risk profile of the org or of selected individual or collection of risks deemed important
What must the design of a risk register allow
It must alow useful informaton to be produced
What will an org note as a risk register matures
The org disovers more uses for the information and will add further analysis or detail to the categories
What are the essential data in a risk registfer
-Risk description
-Proability
-Impact assessment is supplemented by info about existing risk controls
-Ranking
-Priorities
-Risk ownership
-Recommendarion for new or improved risk control
Risk registers can fulfill which dual role
-Faciliating practical management of risk
-Helping instil or condolidate risk management culture into day to day operations
Typucal distributed risk register implementtion might involve
-automatic diary system to warn when risks are due for review
-tiered acess levels to individual risks
-authorisation procedures to accept new risk
-comprehensive enquiry and reporting facilities
-procedures for suggesting and authorising new/improved risk controls