CHAPTER 5 Flashcards
(118 cards)
1
Q
How do we decide how to manage the underlying risk
A
When we understand all possible consequences of an incident
2
Q
What is Risk assessment
A
This is a set of working tools used to examine threats that may bring damage or loss to an org, its responsbitiies and its objectives
3
Q
What is the purpose of examiing threats
A
To stimulate decisions as to how those threats are to be managed
4
Q
What do we need to do to istingus and catalogue risks for comparison
A
we need to quantify the damage that could result if each risk materialised
5
Q
Combining impacct and probability gives us the basis for
A
Basis for risk comparison and ranking
6
Q
Why does risk assessemen require exploring option for risk control
A
This is so becasue we need to see what risk reduction precautions are possible
7
Q
why must risk and their analysis be associated with DATES
A
This is so that changes can be tracked over time and background to decisions can be revisited and reviewed
8
Q
How must risk data be kept
A
Risk data must be kept in an easily understood and accessible file and in a form that allows for info to be used in related exercises like stress testig and risk modelling
9
Q
The risk database must be able to accomodate
A
It must accomodate change and allow for measurements to assess effectivenes of controls
10
Q
What will determine the software tools to be used in managment and future use of data
A
The size and complexity of data to be stored and intentions
11
Q
What is risk categorisation
A
Putting riks into categories and then looking within each category to determine which risks are important and which risks can be ignored
12
Q
Which risks are not worth investigating and controlling
A
Those risks whose impact is less than the value of resources employed
13
Q
Why is risk categorization important
A
The system are importnat as they enable an org to identify accumulations of simila risks and clarify potential for applying common risk control strategies
14
Q
Risk categorization system help with
A
They help organisations identify which strategies, tactics and operations are most vulnerable to anticipated threats
15
Q
How do orgs decide which categories to use
A
they decide after considering what the information will be used for
16
Q
The chosen categories for risk categorisato should cover
A
They should over all identified risks yet minimise the risk of overlap
17
Q
Why have attempts to classsify risks been proved difficult in practice
A
This occurs when more than one casue can contribute to an event.
18
Q
What isssue In insurance causes a separate category to be warrant
A
Preserving the liquidity ratuio
19
Q
What is frictional risk
A
This covers the effect of changes in legal, accounting, regulatory,credit agency requiements or any similar event that puts u costs above those that would otherwise be reauired
20
Q
whta is Basel II banking regulations
A
its another industry specific categorisation
21
Q
What is a lst of official Base II events
A
-internal fraud
-external fraud
-employment practices and workpace safety
-clients,products and b’ness practice
-damage to physical assts
-business disruption and systems failures
-execution,delivery and process management
22
Q
What is COSSO reporting mainly concerned with
A
Its concerned with the US legal requiremet to report accurate financial data
23
Q
Financial Risks are concerned with
Risk categorisation systems
A
They are concerned with internal financial controls, risk related to maney managment, asset values, credit availability, liquidity and financial profitability
24
Q
What does PESTLE stand for
A
Politics,Economics, Social,Technologial,Legal and Environment
25
What does PESTLE break down
It breaks down the external environment in which an org operates
26
when is PESTL and SWOT used together
They are used together when creating and reviewing strategic plans
27
Provide examples where PESTLE and SWOT have been used together for a cause
-Market Research
-Strategic analysis
-Mainly for exploring external factors that influence an organisation
28
What happens if risk categories and subcategories are selected
Compilation of annual reports and other publication for investors become easier, boards are presented with info in a more comprehensive form, questions from regulators,media and other stakeholders are more readily answered
29
If we want to compare and manage risks what do we need to do
We need to measure consequent losses or gains of risks materialise
30
When does it become difficult to attach monetary value
In situation of personal consequences like injury and loss of life, loss of reputation, consewuene and destruction of brand value
31
What are some of the types of daamges involved when measuring ompact of risk
-Health damage,injury or loss of lfe
-Asset Loss
-Time and resources
-Business survival
-Defining impact
-Aggregate Loss
-Risk Aggregation
32
What should be done to any risk that threatens survival of an org
High priority attentioneven if the probability of it materialising is remote
33
What are some examples of issues that could affect confidence
-Damage to the credibility of a brand
-concern with regulatory approvals and licenses
-security of intellectual assets
-Mistrusts of strategic direction
34
what other risk is associated with confidence
Reputation risk, damage to this in most businesses could directly result in loss of potential inome,divestment, loss of market value leading to susbequent takeover and in some cases for large org could result in closyre
35
How is credit,solvencu and liquidity risks controlled in an org
Affairs must be managed so that assets exceed liabilities and the organisation does not run out of cash
36
What is loss of credit equivalent to
It;s equivalent to running out of cash if the organisation relies on borrowing for day to day operations
37
Which oganisation are more prone to third party damages
-Nuclear power operation
-Aviation
-Chemicals
-Oil Exploration
-Transportation
As they can cause widespread human and environmental havoc if things go wrong
38
What some of the risks that could affect Business Survival
| Survival Risks
-High monetary value incidence
-Loss of confidence
-Reputation risk
-Credit,Solvency and Liquidity risks
-Loss of credit
-Third party damage
39
How to measure risks that impacts cant be measured in financial terms
| Defining Impact
Usually the solution is to attach codes to the risk that flag its importance in broad qualitative terms
40
When measuring non finacial impacts by attachng codes, how are these codes allocated
These codes are allocated after discussion with appropriate managers, e.g it could be a broad categories of assessment like intolerable,high,medium and low
41
How are money values allocated to the remaining risks after recording non - financial impacts
Impacts can be recorded at net cost or gross cost
42
When allocating money values to risks, what are net costs
they are costs afer any insurance claims are met ot recoveries from any other risk financing have been made
43
When allocating money values to risks, what are gross costs
These costs include sums even though they may eventually be recovered
44
What is maximum prossible loss
This means it's impossible for quantam of loss to exceed the stated figure
45
What is maximum probable loss
This means its only proable that the loss will not exceed the stated amount
46
When must lossess be aggregated
When a risk results in simultaneous multile incidents of damage
47
When is historical data best used
They are best used to predict future trends if nothing has changed since the data was collected. However this is rarely the case
48
Withmeasuring probability what can produce output that is misleading
slight inaccracies or variables in input data
49
The theory of statistical analysis depends on
| measuring probability
It depends on their being a minimum number and spread of core incidents to enable the laws of averages to be applied and for clear and usable trends to emerge
50
What is the prime use of historical data analysis in risk management
The prime use is to determeine expected values or ranges of value for particular ongoing risks
51
What does the theory of probability set out
It sets out to illustrate likelihood or probability as a numerical value
52
What does probability tell us
Probability tells us the chande that something might happen in a chosen period of time
53
When is probability best used
when conidering infrequent high damage risks
54
What is frequency
Is an expression of how often an event may occur
55
what is the objective of any method of risk aggregation
To represent diverse risk exposures on a common numerical scale whose sum can be calculated in real time if required
56
What are some obvious problems in trying to aggregate risks accross an organisation
-wide variety of type of risk involved
-combining qualitative and quantitative info esp qualitative
-different risk apetite thresholds at different levels in multile orgs and functioonal hierachies
-risk not confined to individual hieratches
-relationships between risks
-continually changing b'ness external and internal environment
57
what may the risk department do if they have to present or publish risk information
They may bring probability and impact together by multiplying the two to create an overall risk factor indicating the size of the risk
58
What is a risk factor determied by multiplying probabiliyy by potential loss/impact quatnified as
This is quantified as a measure of the possible loss to which an org is exposed as a result of some activity or event
59
Exposure is well undestood in business often calculated for which things
-liability issues
-property loss/damage
-product demand variation
60
In insurance how is exposure regulaly tracked
Its tracked in respect of outstanding claims
61
What does risk ranking hide
It hides the distinction wheter a high level of exposure is due to high probability or impact value
62
To deal with the issue that arises with risk ranking of hiding the distinction what may one do
They would buld a graphical demonstration of risk, by using a simple matrix format
63
On face value a simple matrix presentation is a useful way of
Its a useful way of illustrating the relative importance of a number of risks but in practice a typical risk matrices must be treated with a great deal of caution
64
what are some of the issues faced with a typical risk matrices
-with only a few categories this means that identical ratings can be allocated to quantitatively very different risks
-Error can result in higher qualitative ratings being allocated to quantitatively smaller risks
-Qualitative ranings are subjective rather than objective
65
What is risk ranking
The process of comparing different risks and presenting them in an order of priority for the use of resources
66
Risk compariosn is useful in
They are useful in benchmarking, for presentation purposes and to support arguments or explanatin
67
Risk professionals are strongly advised to familiarise themselves with
They are advised to familiarise themselves with communication and presentation techniques if they want their recommedations to be accepted
68
What can a careless graphical representation or risk comparison do
They can destroy the credbility of an argument even if it is logically correct
69
Why is it convineient to adopt a numerical classification of impact
So that risks can be more easily compared
70
What are risk factor indices
These are some standard classification used by an org to compare the risks they carry
71
What is an important risk factor indices
Dow Fire and Explosion Index
72
What is the Dow Fire and Explosion Index designed to do
This index is designed to classify particular hazards that lie within a process in a factory
73
How does Dow Fire and Explosion work
It applies a predetermiend factor number to hazards within that proess tha re knon to increase overall risk of damage
74
How is the Dow Fire and Explosion calculaton
The calculation process is staightforward usinf a standarised spreadsheet format
75
The Dow Fire and Explosion has been proven to be useful in
It has been proven to be useful in determining plant layouts and separation between vessels in chemical process plants
76
When are risk factor indices likely to be of best value
They are of best value when used to support decisions about prioities and resources to be applied to events that happen reasonably frequntly
77
When are risk factor indices likely to be of best value
They are of best value when used to support decisions about prioities and resources to be applied to events that happen reasonably frequntly
78
Risk factor indicies are best used for which estimaton
They are used to estimate likely total cost of a type of incident over a period of time
79
What is risk apetite
The extent to which an orgnisation will tolerate a risk
80
Risk Controls can be divided to four broad classes which are
-Preventive
-Corrective
-Directive
-Detective
81
What is Preventitve measure for risk controls
Measure to stop a risk happening or unwanted outcome arising
82
What is Corrective measure for risk control
This is a measure to limit sope of loss and reduce any undesirable outcomes that have come about once the loss or damage hs materialised
83
What is Directive measure for risk control
Controls to ensure particular aim is realised
84
What is Detective measure for risk control
after th event measures to identify when an incident has happened
85
Most orgs implement which controls
Preventative controls, these are designed to reduce the possibility of undesriable outcomes
86
What are corective controls designed to do
They are designed to correct undesirable outcomes that have already occured. They are a means of reocvery against loss or damage
87
What is continuity planning
This is another corrective control, organisation plan for b'ness continuity and recovery after events which they could not prevent
88
How is insurance a form of corrective control
It is as it facilitaties financial recovery when an insured risk materialises
89
What are directive controls used for
They are instructions or regulations designed to ensure that a particular outcome is achieved
90
What are directive controls commonly associated with
They are associated with health,safety and security. They are important when people's behaviour can prevent a undesirable event
91
What are some examples of directive controls
-requirements to wear protective clothing while performing dangerous duties
-staff are trained to certain skill levels before being allowed to work unsupervised
92
what are checklists, worksheets and test schedules
these are directive controls
93
Whichindustriies use directive controls best
-Aviation industry
-Oil and gas expliraton
94
What are detective controls designed to do
They are designed to identify unwanted occurrences that have alreadhy happened and are thus only appropriate ehrn it is possible to accept the loss or damage incured
95
What are some detective controls
-Stock checks
-Asset Checks
-Reconcilliation
As they can detect theft or similar anomalies
96
How is reconcilitiona nother technique of detectie control
Reconciliting authorised payments with banks tatements will detect unauthorised transactions
97
How are audits,inspections and quality quontorl detective
They are because they look for causes of defects in products and procedures with a view to introducing changes in the future
98
What is market risk
This is concerned with risk of lossess inn tradingpositions arising from movement in market prices
99
What are the prevention controls in avoiding market risks
The prevention controls aound the managmenet of this risk coudl involve decisions regarding investment strategis
100
What are the corrective controls in avoiding market risks
They can be insurance and hedging
101
What are the directive controls in avoiding market risks
Directive controssuch as limiting indivisual trading activities
102
What are the detective controls in avoiding market risks
The detective controls coulld be adopted such as the org deciding to monitor unusual trading activity over an appropriate time frame
103
What is credit risk
This is a risk that a counterparty will suffer real or percieved deterioration in financial strength or unable to pay mpunts in full due
104
What are preventive controls in credit risks
This would include regular credit checks of current and potentia counterparties
105
What are corrective controls in credit risks
Would include contract terms to safeguard assets held as securtes for loans and use of multiple insurers to protect large potential liabilityes
106
What are directive controls in credit risks
This wouldl restrict trading to counterparties whose creit has been approved
107
What is liquidity risk
This is a risk of running out of cash when it is neeed to meet financial obligation
108
What are preventive controls in liquidity risks
Preventive controls would be strategic decisions on capital reserves and ratios, daily cash management and attention to contract payment terms and debt collection
109
What are corrective controls in liquidity risks
This would include arranging overdraft facilities, hort trm credit and loan facilities or agreements with shareholders to inject capital at short notice
110
What are directive controls in liquidity risks
This would be supporting managment in enforcing the discpline required
111
Cost effectiveness of risk control can be estimated by
This can be estimated by comparing impact of uncontrolled risk with impact of the same risk assuming the proposed control is in place. The difference between the 2 impact assessments must atleast be greater than the ost of implementing the controls
112
What is a risk register
This is a register of al risk information that is needed to be recorded
113
What is the aim of a risk register
The aim is to build a complete picture or risk profile of the org or of selected individual or collection of risks deemed important
114
What must the design of a risk register allow
It must alow useful informaton to be produced
115
What will an org note as a risk register matures
The org disovers more uses for the information and will add further analysis or detail to the categories
116
What are the essential data in a risk registfer
-Risk description
-Proability
-Impact assessment is supplemented by info about existing risk controls
-Ranking
-Priorities
-Risk ownership
-Recommendarion for new or improved risk control
117
Risk registers can fulfill which dual role
-Faciliating practical management of risk
-Helping instil or condolidate risk management culture into day to day operations
118
Typucal distributed risk register implementtion might involve
-automatic diary system to warn when risks are due for review
-tiered acess levels to individual risks
-authorisation procedures to accept new risk
-comprehensive enquiry and reporting facilities
-procedures for suggesting and authorising new/improved risk controls
