Chapter 5 - Risk Assessment Flashcards
What is a risk assessment?
Risk identification + analysis + evaluation
What is the first step in the risk management process?
Finding and assembling the risks and threats to the organisation (building a risk register) e.g. risks to day to day operations such as sourcing of materials or things which THREATEN THE OBJECTIVES OF THE ORGANISATION
Why do we need risk information?
More you know about the risks faced the greater the chance of making the right strategic decisions to meet objectives
What is ‘trusted & relevant’ information?
= ‘informed’ view of the risks that threaten an organisation: its people, objectives, success or existence so the information is any information that may influence a decision about a riskW
What are the different classifications of information?
- Qualitative - description or written
- Quantitative - measured or counted
- Subjective - judgment based
- Objective - factual
- Static - Fixed data which is not altered e.g. DOB
- Dynamic - capable of changes
Is one type of risk information better than another?
No, generally a variety of different types is the best so can see all angles
How has technology influenced risk information?
New technologies and ‘big data’ give us more information, so useful for risk information e.g health insurers with monitoring equipment, social media for claims & artificial intelligence
What are the two umbrella terms of risk identification techniques?
Internal & External
What are some examples of internal risk identification?
- Talking to people in the organisation
- Workshops & brainstorming (debating and challenging good to see the human part)
- Meetings & committees
- Questionnaires
- Procedure manuals
- INTERNAL AUDIT & COMPLIANCE MONITORING
- Surveys and observation
What are some examples of external risk identification?
- Stress testing & scenario analysis - running through plausible scenarios and what would happen in different outcomes
- External auditors’ reports e.g. external accountants
- Reading insurance documents (great for assessing risk & gathering information)
What is a key point to remember in risk identification?
ONGOING PROCESS - NEVER STOPS
What can the routine collection of risk information be assisted by?
Electronic information systems - collate large data sets and continuously record information - also more reliable as no human bias
Some risks are more obscure than others and hide in the complex businesses, what are some techniques to break down complexity to identify risks?
- Workshops & brainstorming -> collecting and sharing ideas
- Business process analysis -> teams asks the ‘what if’ questions
- Inspections & audits
- Flows, processes & dependency charts
- ‘Fault trees’ & ‘root cause analysis’
- Organisation charts -> helps to breakdown structure and activities in a clear manner
When describing and recording risks, what is a useful aid in the risk assessment?
Using risk classifications to reduce complexity and make comparisons easier - benefits publications to investors, directors & public
What are two examples of using risk classifications to aid in risk assessment?
- The FIRM scorecard - Financial risks, Infrastructure risks, Reputational risk and Marketplace risk - noting which risks are internally/externally driven.
Benefit = helps to view wider and different viewpoints when identifying the risks an organisation faces - Local Authority Risk Register - UK Local Authorities often classify risks in a way which match their operational & legal structure
What is the prime use of historical data analysis in risk management?
Used to determine expected values or ranges of value for particular ongoing risks
What does risk analysis attempt to measure?
Frequency & Severity
How are numbers used to express judgement of frequency?
Used as codes to give consistency and common format e.g. 1 to 5 with 1 being lowest and 5 the most
BUT, can reduce accuracy by grouping
Why is it sometimes difficult to consider severity?
Some damages e.g. physical assets can be quantified but others e.g. injury or loss of reputation present difficulty in attaching monetary value
What options are available when cannot measure severity in financial terms?
- RAG Rating (Red, Amber & Green) - Easily understand but broad categories
- Using numbers to express judgement of severity - e.g.
Level 1 - Negligible
Level 3 - Moderate
Level 5 - Extreme
and this can accommodate both FINANCIAL & NON-FINANCIAL risk estimates
Explain an important feature when making a risk assessment?
Should it be assessed at the INHERENT level (assuming controls fail to work) or RESIDUAL level (with controls & precautions in place)
What is the purpose/what does a risk map/matrix show?
Combines the results of measurements of frequency and severity into a table with frequency on x and severity on y
Apart from a risk matrix/map, what is another form used to create pictures on different types of risk and their possible effects?
Models made using mathematics
How can risk evaluation be described?
Taking the results of risk analysis and relating them to context in which the organisation’s operate e.g. country, environment, location or operational limits and ability to cover financial loss
For both individuals and organisations, what is appetite for risk moderated by?
The ability to tolerate types of loss or levels of the loss
What are the 3 main different types of criteria which influence risk appetite and tolerance when evaluating a risk assessment
- Financial criteria – e.g. cash reserves and ability to raise loans will impose a sensible limit on risk appetite
- Legal criteria – laws and regulations e.g. threat of large fines
- Operational criteria -
Risk information has to be recorded & stored in a logical, easily accessible and understandable form – how is this normally done?
Building data into a useful database – called a RISK REGISTER
What is the aim of a risk register & why is it important?
Aim is build complete picture of profile of risk in an organisation
Establishes criteria to help make decisions & choose appropriate methods of risk control
What are essential components of a risk register’s design?
Risk description, frequency, severity, existing controls, ranking & priorities and even recommendations for new or improved risk controls
How and why are risk-registers often web-based systems?
Makes it easier for access and to be consistently updated with new risks, reviews, reporting assessing and classifying = more option to contribute
What may an extended risk register system also include?
Data concerning risk financing and continuity planning and facilities to test the different scenarios
What 4 factors are often used for evaluation in a risk regiter?
- Operational
- Financia
- Legal
- Moral
What are the main evaluation criteria for risk?
- Risk appetite & tolerance (financial, legal, operational)
- Presenting the risk assessment in a register
- The risk ‘owner’ – who takes responsibility of the risk
- The importance of regular review – ongoing process and testing controls
- Warning – using it
