Chapter 5 - Introduction to Risk Management Flashcards
What is risk?
Risk is the possible variation in an outcome from what is expected to happen. Can be measured and quantified.
What is uncertainty?
Uncertainty is the inability to predict the outcome from an activity due to a lack of information. Can’t be measured.
What are upside and downside risks?
Upside and downside risks refer to whether events could turn out better or worse.
What is downside risk?
Downside risk is the risk that something will go wrong.
What is upside risk?
Upside risk is the likelihood that things will go right.
How far does risk affect a business achieving its objectives?
Risk affects business success and achieving objectives through pure and speculative risks.
What is pure risk?
Pure risk describes the possibility that something will go wrong.
What is speculative risk?
Speculative risk describes the possibility that something could go better than expected.
What are controllable and uncontrollable risks for a business?
Businesses face controllable and uncontrollable risks in their pursuit of shareholder wealth maximization.
What are controllable risks?
Controllable risks concern factors such as ensuring internal controls are adequate, funding projects, and maintaining corporate reputation through ESG policies.
What are uncontrollable risks?
Uncontrollable risks concern factors such as trading conditions, new market entrants, and societal changes.
What types of risks do investors face in a business?
Investors face risks specific to their roles: lenders bear credit risks, and shareholders bear market risks.
What risks do lenders face?
Lenders face the risk of business default on debt obligations, such as failure to make interest payments or repay loan principal.
What risks do shareholders face?
Shareholders are the ultimate bearers of risk. Shareholders bear risks related to company profits, dividends, and share price, which may vary significantly over time. Variation known as volatility of returns.
What is the volatility of returns?
The volatility of returns refers to the wide variation in profits, dividends, and share prices over the long term.
What is risk appetite?
Risk appetite is the extent to which a business is prepared to take on risks to achieve its objectives.
Why is risk appetite important in strategic planning?
Risk appetite is important because it helps a business decide on appropriate strategies by evaluating its tolerance for risk and aligning it with potential returns.
What is a risk-averse attitude?
A risk-averse attitude means choosing investments that are more certain but possibly have lower returns compared to alternatives with higher potential returns.
What is a risk-neutral attitude?
A risk-neutral attitude means choosing investments solely based on their expected return, regardless of the level of risk.
What is a risk-seeking attitude?
A risk-seeking attitude means choosing investments that offer higher levels of risk, even if their expected return is lower than alternative no-risk investments with higher expected returns.
What are the main classifications of risk?
Risks can be broadly classified into business, financial, and operational risks.
What is business risk? What are examples of business risks?
Business risk arises from the nature of the entity’s business, its industry, and operating conditions. Examples include strategy risk, enterprise risk, product risk, financial risk, and sustainability and climate change risks.
What is strategy risk?
Strategy risk is the risk that the wrong strategy is chosen, leading to failure to achieve objectives.
What is enterprise risk?
Enterprise risk is the risk of a strategy succeeding or failing.
What is product risk?
Product risk is the chance that a product fails in the market.
What is financial risk?
Financial risk arises from changes in interest rates, business financing, and exchange rates.
What are sustainability and climate change risks?
These risks include physical risks (e.g., storms), transition risks (e.g., PESTEL, regulatory changes), reputational risks, finance risks, governance risks, and regulatory risks.
Breakdown the type of Sustainability and climate change risk, what do these mean?
– Physical risks
– Transition risks
– Reputational risks
– Finance risk
– Governance risks
– Regulatory risks
Sustainability and climate change risk: important examples of these are:
– Physical risks: arising from impacts of climate change, such as storms and wildfires
– Transition risks: risk of changes to areas of PESTEL in the move to a low-carbon economy
– Reputational risks: risk that poor environmental and social behaviour harms reputation
– Finance risk: risk that finance providers refuse applications due to poor ESG performance
– Governance risks: risk that poor governance leads to poor decision making and/or fraud
– Regulatory risks: risk of fines from non-adherence of environmental/social regulations
What is operational risk?
Operational risk is the risk that something goes wrong in day-to-day operations.
What is financial risk, and how can it be classified?
Financial risks can be controllable (e.g., gearing, credit, liquidity) or uncontrollable (e.g., market risks).
What is gearing risk?
Gearing risk is the risk of being a highly geared business, leading to a riskier investment profile and financing challenges. High level of debt to equity.
What is credit risk?
Credit risk is the risk that customers fail to pay their invoices.
What is liquidity risk?
Liquidity risk is the chance the business runs out of cash.
What is market risk?
Market risk is an uncontrollable risk involving external factors like price changes, stock market volatility, and foreign exchange rates.
Define Hedging
Hedging is a strategy to limit investing risks. Investors hedge an investment by making a trade in another that is likely to move in the opposite direction.
What is process risk?
Process risk is the chance that a process is inefficient or ineffective.
What is people risk?
People risk arises from poor quality, inefficient, or insufficient staffing.
What is system risk?
System risk arises from any system’s capacity, security, integrity, or access failures.
What is event risk?
Event risk is the chance that a rare event, like a disaster or regulatory change, occurs with significant implications.
What is cyber risk?
Cyber risk arises from IT and IS system breaches, such as cyber-attacks, poor system integrity, or simple accidents.
What are the four key risk concepts?
The four key risk concepts are exposure, volatility, impact, and probability.
What is exposure in the context of risk?
Exposure is the measure of the way in which a business is faced by risks due to the nature of the business.
What is volatility in the context of risk?
Volatility is how the factor to which a business is exposed is likely to alter.
What is impact (or consequence) in the context of risk?
Impact refers to measures of the amount of the loss if the undesired outcome occurs.
What is probability (or likelihood) in the context of risk?
Probability means how likely it is that a particular outcome will occur. It can sometimes be estimated based on past experience.
How is statistics used in risk management?
Statistics in risk management involves the collection, description, analysis, and inference of conclusions from quantitative data.
What is a data set?
A data set is a collection of data about a population or a sample taken from within a population.
What are descriptive statistics?
Descriptive statistics describe the properties of the sample and population data, such as the average value and degree of variability.
What are inferential statistics?
Inferential statistics analyze samples to draw conclusions about the population.
Define Measures of central tendency (averages)
Measures of central tendency attempt to measure the average or typical value in a given set of data. The most commonly used methods are:
Mean: a mathematical average of all of the items within the data.
Mode: the most frequently occurring observation in the data set.
Median: an observation in the middle of the data set.
Expected value: a weighted average where each observation in the data set has a different chance of occurring.
Define Mean 1 Advantages 2 Disadvantages 3
Mean: a mathematical average of all of the items within the data.
Advantages
Easy to calculate and understand.
Representative of all of the values in the data set.
Disadvantages
May not return a value within the data set.
Two data sets with very different ranges of observations may return the same mean.
Can be distorted by outliers.
Define Mode Advantages 3 Disadvantages 3
Mode: the most frequently occurring observation in the data set.
Advantages
Easy to find and understand.
Is the value of at least one actual observation within the data set.
Works for qualitative data. Not influenced by outliers.
Disadvantages
Does not take into account all observations within the data set.
There can be more than mode.
Not suited to further statistical analysis.
Define Median Advantages 2 Disadvantages 4
Median: an observation in the middle of the data set.
Advantages
Easy to understand.
Is not distorted by outliers (very large or very small observations).
Disadvantages
May not return a value within the data set.
Does not consider all of the observations within the data set.
Difficult to identify in large data sets as values have to be ordered.
Not suited to further statistical analysis.
Define Expected Value
Expected value: a weighted average where each observation in the data set has a different chance of occurring. Expected return (probability x return) (£)
What are measures of dispersion?
Measures of dispersion help demonstrate the spread of observations within a data set.
Why are measures of dispersion important?
They show how data points vary and help understand the degree of variability in a dataset.
What is the range in measures of dispersion?
The range is the difference between the highest and lowest observations in the data set. It can be heavily distorted by outliers as it ignores all but two observations.
What is deviation in measures of dispersion?
Deviation measures how far each observation is above or below the mean. Positive deviation is above the mean, and negative deviation is below.
What is variance in measures of dispersion?
Variance is the average squared deviation of observations in a data set. It shows how spread out the data is and is a stepping stone for calculating standard deviation.
What is standard deviation in measures of dispersion?
Standard deviation is the average deviation from the mean of a data set, ignoring whether deviations are positive or negative. It is the square root of variance.
What is the coefficient of variation in measures of dispersion?
The coefficient of variation compares the volatility of observations in different data sets. A lower value indicates lower potential deviations from the mean and therefore lower risk.
What is the formula for variance?
Variance is calculated as the sum of the squared deviations divided by the number of observations: variance = Σ(x - x̄)² / n.
How is variance interpreted in a data set?
Variance indicates how widely data points are spread from the mean. A larger variance means a greater spread.
What is the formula for standard deviation?
Standard deviation is the square root of the variance: standard deviation = √variance.
How is standard deviation interpreted in a data set?
Standard deviation measures the average distance of data points from the mean, indicating variability. A larger standard deviation indicates more variability.
What is the coefficient of variation?
The coefficient of variation is calculated as the standard deviation divided by the mean, multiplied by 100: coefficient of variation = (standard deviation / mean) × 100%.
What is the use of the coefficient of variation in risk assessment?
The coefficient of variation helps determine which option in a portfolio presents the least risk by comparing the relative variability of data sets.
What does a bigger standard deviation mean? What statistic is reviewed next to overcome this?
The bigger the standard deviation is, the more widely dispersed the possible outcomes of an event are, so a bigger standard deviation means a bigger risk.
If decision makers have information about the expected values and standard deviations of projects they are considering, they can make more informed decisions, balancing the risks and rewards.
If the risks are higher (indicated by a higher standard deviation), decision makers require higher expected values to compensate them for his.
If two projects return the same expected return, they would, in the first instance, choose the project with the smaller standard deviation. However, if the results are as a result of a greater dispersion of numbers in the data set, they could then fall back on the co-efficient of variation to determine risk.
What is a a frequency distribution?
A frequency distribution shows how often values within particular ranges occur in a data set.
What is a normal distribution? What are the metrics here? What does the area under the curve mean?
μ is the mean of the distribution (and in this case, the median and mode as well) σ represents a standard deviation
The area under the curve shows the probabilities of being within certain ranges of the mean, where distance from the mean is measured in standard deviations.
In a normal distribution what is the value of the mean, median or mode?
the mean of the distribution = the median = the mode
Where do 95% and 99% of values lie in relation to standard deviations?
– 95% of the values lie within 1.96 standard deviation above and 1.96 standard deviations below
– 99% of the values lie within 2.58 standard deviations above and 2.58 standard deviations below
What is the probability of values being above or below the mean?
the distribution is symmetrical with 50% of the probabilities lying above the mean and 50% of the probabilities below:
– 34.1% of observations lie one standard deviation below the mean
– 68.2% of observations lie between one standard deviation below and one standard deviation above
Skewed distributions
Skewed distributions
Whilst the normal distribution is symmetrical, most distributions aren’t. They will be asymmetric or skewed towards one side. In skewed distributions, the mean, median and mode are different:
The mode will typically be the highest point because it will have the highest frequency in the data set.
The mean will typically be the furthest away from the mode.
The median will fall between the mean and the mode.
What is risk management?
Risk management involves identifying, analyzing, and controlling risks that threaten assets or the earning capacity of a business to reduce exposure by lowering the probability of occurrence or limiting impact.
What are the four steps involved in the risk management process?
The four steps are:
1. Awareness and identification - likelihood top down approach (strategic) or bottom up (operational)
2. Analysis (assessment and measurement) - seriousness
3. Response and control - rank them largest to smallest
4. Monitoring and reporting
How is gross risk calculated?
Gross risk is calculated as Probability × Impact, where Probability is measured between 0 and 1, and Impact is the expected value if the event occurs.
What is a risk heatmap, and how is it used?
A risk heatmap is a graphical tool that plots risks on a scale of impact and probability, helping to prioritize actions based on the risk level.
What are the possible responses to manage a risk? 4
Responses include: (1) Share or transfer, (2) Avoidance, (3) Reduction, (4) Accept or retain. TARA stands for Transfer, Avoid, Reduce, Accept.
Manage a risk - Share or transfer definition
Share or transfer: for example, taking out insurance for high impact, low probability events or sharing the risk with another party such as a joint venture or strategic alliance.
Manage a risk - Avoidance definition
Avoidance: don’t do it! Or change the scope of the project/plan to eliminate the risk.
Manage a risk - Reduction definition
Reduction: reduce the chance of the risk occurring and/or minimise its impact.
Manage a risk - Accept or retain definition
Accept or retain: if the cost of responding to the risk outweighs the impact, you may accept it.
What does TARA stand for in risk management?
TARA stands for Transfer, Avoid, Reduce, Accept.
What is the ALARP principle in risk management?
ALARP stands for ‘As Low As Reasonably Practicable,’ ensuring risk reduction is proportional and not excessively costly for minimal gain.
What is a crisis?
A crisis is an unexpected event that threatens the wellbeing of a business or significantly impacts its stakeholders. It happens when a significant risk becomes a reality. Can happen quickly or slowly.
What is crisis management?
Crisis management involves identifying a crisis, planning a response to the crisis and confronting and resolving the crisis.
What are the types of crises? 4
Types of crises include: (1) Natural events (e.g., earthquakes), (2) Industrial accidents (e.g., fires, toxic fumes), (3) Product or service failures (e.g., product recalls, health scares), and (4) Public relations disasters (e.g., adverse media attention, removal of key management).
How should a business manage a crisis? 2
A business should seek to prevent crises by planning ahead and projecting likely outcomes, and have contingency plans to address crises effectively when they occur.
What is the purpose of contingency planning in crisis management?
Contingency planning involves creating plans for the worst and/or most likely crises to occur, keeping them up to date, and training staff on implementation in case of a crisis.
What is a disaster in the context of business operations?
A disaster is the breakdown of business operations leading to potential losses of equipment, data, or funds.
What does a long-term disaster recovery plan typically provide for? 3
A long-term disaster recovery plan typically provides for: (1) Standby procedures for maintaining some operations during disruptions - alternative working arrangements
(2) Recovery procedures to address the cause of the breakdown PR, backup restoration
(3) Personnel management policies to ensure proper implementation.
What is business resilience?
Business resilience is a business’s ability to manage and survive against planned or unplanned shocks and disruptions to its operations.
What are the two axes of business resilience according to the ICSA Solutions report?
Axis 1: Processes and functions that protect the organization (e.g., risk management, IT disaster recovery). Axis 2: General characteristics that drive resilience (e.g., trust, innovation, employee morale).
Business resilence - what are examples of Axis 1: Processes and functions that protect the organisation
Axis 1: Processes and functions that protect the organisation
Risk Management
Business continuity planning
Security
IT disaster recovery
Health and Safety
Crisis management
Internal audit
Governance
Business resilence - what are examples of Axis 2: More general characteristics of the organisation that drive resilience
Level of trust employees have in the organisation and its management
Level of trust of customers in the organisation
Ability of the organisation to innovate
Extent that organisational values are understood
Extent that organisational values drive employee behaviour
Ability of the organisation to operate risk management
Employee morale
Leadership and senior management involvement
What are four metrics used to measure resilience?
The four metrics are
compliance - with standards and policies
completeness - scope of preparations
value - measures the quality of the response to a situation
capability - evidence, through testing, how far procedures have been put in place e.g. fire drills
What does a business continuity plan typically provide? 3
A business continuity plan typically provides: (1) Standby procedures, (2) Recovery procedures, and (3) Personnel management policies.
What are key factors to address in a business continuity plan? 6
Responsibilities - A nominated individual that will take control of the response to the disaster. The individual will delegate tasks to others.
Priorities - An established list of activities that must be tackled ahead of others.
Backup and standby arrangements - For example, taking cash and card processing is interrupted.
Communication with staff - Plans to ensure clear and efficient communication to avoid compounding the effects of the disaster.
Public relations - Engagement with the media to reduce pressure on the recovery.
Risk assessment - Methods to assess the requirements of the problem.
