Chapter 5 - Risk Assessment Flashcards
What is a risk assessment?
Risk identification + analysis + evaluation
What is the first step in the risk management process?
Finding and assembling the risks and threats to the organisation (building a risk register) e.g. risks to day to day operations such as sourcing of materials or things which THREATEN THE OBJECTIVES OF THE ORGANISATION
Why do we need risk information?
More you know about the risks faced the greater the chance of making the right strategic decisions to meet objectives
What is ‘trusted & relevant’ information?
= ‘informed’ view of the risks that threaten an organisation: its people, objectives, success or existence so the information is any information that may influence a decision about a riskW
What are the different classifications of information?
- Qualitative - description or written
- Quantitative - measured or counted
- Subjective - judgment based
- Objective - factual
- Static - Fixed data which is not altered e.g. DOB
- Dynamic - capable of changes
Is one type of risk information better than another?
No, generally a variety of different types is the best so can see all angles
How has technology influenced risk information?
New technologies and ‘big data’ give us more information, so useful for risk information e.g health insurers with monitoring equipment, social media for claims & artificial intelligence
What are the two umbrella terms of risk identification techniques?
Internal & External
What are some examples of internal risk identification?
- Talking to people in the organisation
- Workshops & brainstorming (debating and challenging good to see the human part)
- Meetings & committees
- Questionnaires
- Procedure manuals
- INTERNAL AUDIT & COMPLIANCE MONITORING
- Surveys and observation
What are some examples of external risk identification?
- Stress testing & scenario analysis - running through plausible scenarios and what would happen in different outcomes
- External auditors’ reports e.g. external accountants
- Reading insurance documents (great for assessing risk & gathering information)
What is a key point to remember in risk identification?
ONGOING PROCESS - NEVER STOPS
What can the routine collection of risk information be assisted by?
Electronic information systems - collate large data sets and continuously record information - also more reliable as no human bias
Some risks are more obscure than others and hide in the complex businesses, what are some techniques to break down complexity to identify risks?
- Workshops & brainstorming -> collecting and sharing ideas
- Business process analysis -> teams asks the ‘what if’ questions
- Inspections & audits
- Flows, processes & dependency charts
- ‘Fault trees’ & ‘root cause analysis’
- Organisation charts -> helps to breakdown structure and activities in a clear manner
When describing and recording risks, what is a useful aid in the risk assessment?
Using risk classifications to reduce complexity and make comparisons easier - benefits publications to investors, directors & public
What are two examples of using risk classifications to aid in risk assessment?
- The FIRM scorecard - Financial risks, Infrastructure risks, Reputational risk and Marketplace risk - noting which risks are internally/externally driven.
Benefit = helps to view wider and different viewpoints when identifying the risks an organisation faces - Local Authority Risk Register - UK Local Authorities often classify risks in a way which match their operational & legal structure
What is the prime use of historical data analysis in risk management?
Used to determine expected values or ranges of value for particular ongoing risks
What does risk analysis attempt to measure?
Frequency & Severity
How are numbers used to express judgement of frequency?
Used as codes to give consistency and common format e.g. 1 to 5 with 1 being lowest and 5 the most
BUT, can reduce accuracy by grouping
Why is it sometimes difficult to consider severity?
Some damages e.g. physical assets can be quantified but others e.g. injury or loss of reputation present difficulty in attaching monetary value
What options are available when cannot measure severity in financial terms?
- RAG Rating (Red, Amber & Green) - Easily understand but broad categories
- Using numbers to express judgement of severity - e.g.
Level 1 - Negligible
Level 3 - Moderate
Level 5 - Extreme
and this can accommodate both FINANCIAL & NON-FINANCIAL risk estimates
Explain an important feature when making a risk assessment?
Should it be assessed at the INHERENT level (assuming controls fail to work) or RESIDUAL level (with controls & precautions in place)
What is the purpose/what does a risk map/matrix show?
Combines the results of measurements of frequency and severity into a table with frequency on x and severity on y
Apart from a risk matrix/map, what is another form used to create pictures on different types of risk and their possible effects?
Models made using mathematics
How can risk evaluation be described?
Taking the results of risk analysis and relating them to context in which the organisation’s operate e.g. country, environment, location or operational limits and ability to cover financial loss
