Chapter 5 - Risk Assessment

Question 1

What is a risk assessment?

Answer 1

Risk identification + analysis + evaluation

Question 2

What is the first step in the risk management process?

Answer 2

Finding and assembling the risks and threats to the organisation (building a risk register) e.g. risks to day to day operations such as sourcing of materials or things which THREATEN THE OBJECTIVES OF THE ORGANISATION

Question 3

Why do we need risk information?

Answer 3

More you know about the risks faced the greater the chance of making the right strategic decisions to meet objectives

Question 4

What is ‘trusted & relevant’ information?

Answer 4

= ‘informed’ view of the risks that threaten an organisation: its people, objectives, success or existence so the information is any information that may influence a decision about a riskW

Question 5

What are the different classifications of information?

Answer 5

• Qualitative - description or written
• Quantitative - measured or counted
• Subjective - judgment based
• Objective - factual
• Static - Fixed data which is not altered e.g. DOB
• Dynamic - capable of changes

Question 6

Is one type of risk information better than another?

Answer 6

No, generally a variety of different types is the best so can see all angles

Question 7

How has technology influenced risk information?

Answer 7

New technologies and ‘big data’ give us more information, so useful for risk information e.g health insurers with monitoring equipment, social media for claims & artificial intelligence

Question 8

What are the two umbrella terms of risk identification techniques?

Answer 8

Internal & External

Question 9

What are some examples of internal risk identification?

Answer 9

• Talking to people in the organisation
• Workshops & brainstorming (debating and challenging good to see the human part)
• Meetings & committees
• Questionnaires
• Procedure manuals
• INTERNAL AUDIT & COMPLIANCE MONITORING
• Surveys and observation

Question 10

What are some examples of external risk identification?

Answer 10

• Stress testing & scenario analysis - running through plausible scenarios and what would happen in different outcomes
• External auditors’ reports e.g. external accountants
• Reading insurance documents (great for assessing risk & gathering information)

Question 11

What is a key point to remember in risk identification?

Answer 11

ONGOING PROCESS - NEVER STOPS

Question 12

What can the routine collection of risk information be assisted by?

Answer 12

Electronic information systems - collate large data sets and continuously record information - also more reliable as no human bias

Question 13

Some risks are more obscure than others and hide in the complex businesses, what are some techniques to break down complexity to identify risks?

Answer 13

• Workshops & brainstorming -> collecting and sharing ideas
• Business process analysis -> teams asks the ‘what if’ questions
• Inspections & audits
• Flows, processes & dependency charts
• ‘Fault trees’ & ‘root cause analysis’
• Organisation charts -> helps to breakdown structure and activities in a clear manner

Question 14

When describing and recording risks, what is a useful aid in the risk assessment?

Answer 14

Using risk classifications to reduce complexity and make comparisons easier - benefits publications to investors, directors & public

Question 15

What are two examples of using risk classifications to aid in risk assessment?

Answer 15

1. The FIRM scorecard - Financial risks, Infrastructure risks, Reputational risk and Marketplace risk - noting which risks are internally/externally driven.
   Benefit = helps to view wider and different viewpoints when identifying the risks an organisation faces
2. Local Authority Risk Register - UK Local Authorities often classify risks in a way which match their operational & legal structure

Question 16

What is the prime use of historical data analysis in risk management?

Answer 16

Used to determine expected values or ranges of value for particular ongoing risks

Question 17

What does risk analysis attempt to measure?

Answer 17

Frequency & Severity

Question 18

How are numbers used to express judgement of frequency?

Answer 18

Used as codes to give consistency and common format e.g. 1 to 5 with 1 being lowest and 5 the most
BUT, can reduce accuracy by grouping

Question 19

Why is it sometimes difficult to consider severity?

Answer 19

Some damages e.g. physical assets can be quantified but others e.g. injury or loss of reputation present difficulty in attaching monetary value

Question 20

What options are available when cannot measure severity in financial terms?

Answer 20

1. RAG Rating (Red, Amber & Green) - Easily understand but broad categories
2. Using numbers to express judgement of severity - e.g.
   Level 1 - Negligible
   Level 3 - Moderate
   Level 5 - Extreme
   and this can accommodate both FINANCIAL & NON-FINANCIAL risk estimates

Question 21

Explain an important feature when making a risk assessment?

Answer 21

Should it be assessed at the INHERENT level (assuming controls fail to work) or RESIDUAL level (with controls & precautions in place)

Question 22

What is the purpose/what does a risk map/matrix show?

Answer 22

Combines the results of measurements of frequency and severity into a table with frequency on x and severity on y

Question 23

Apart from a risk matrix/map, what is another form used to create pictures on different types of risk and their possible effects?

Answer 23

Models made using mathematics

Question 24

How can risk evaluation be described?

Answer 24

Taking the results of risk analysis and relating them to context in which the organisation’s operate e.g. country, environment, location or operational limits and ability to cover financial loss

Question 25

For both individuals and organisations, what is appetite for risk moderated by?

Answer 25

The ability to tolerate types of loss or levels of the loss

Question 25

What are the 3 main different types of criteria which influence risk appetite and tolerance when evaluating a risk assessment

Answer 25

1. Financial criteria – e.g. cash reserves and ability to raise loans will impose a sensible limit on risk appetite
2. Legal criteria – laws and regulations e.g. threat of large fines
3. Operational criteria -

Question 26

Risk information has to be recorded & stored in a logical, easily accessible and understandable form – how is this normally done?

Answer 26

Building data into a useful database – called a RISK REGISTER

Question 27

What is the aim of a risk register & why is it important?

Answer 27

Aim is build complete picture of profile of risk in an organisation

Establishes criteria to help make decisions & choose appropriate methods of risk control

Question 28

What are essential components of a risk register’s design?

Answer 28

Risk description, frequency, severity, existing controls, ranking & priorities and even recommendations for new or improved risk controls

Question 29

How and why are risk-registers often web-based systems?

Answer 29

Makes it easier for access and to be consistently updated with new risks, reviews, reporting assessing and classifying = more option to contribute

Question 30

What may an extended risk register system also include?

Answer 30

Data concerning risk financing and continuity planning and facilities to test the different scenarios

Question 31

What 4 factors are often used for evaluation in a risk regiter?

Answer 31

1. Operational
2. Financia
3. Legal
4. Moral

Question 32

What are the main evaluation criteria for risk?

Answer 32

1. Risk appetite & tolerance (financial, legal, operational)
2. Presenting the risk assessment in a register
3. The risk ‘owner’ – who takes responsibility of the risk
4. The importance of regular review – ongoing process and testing controls
5. Warning – using it