Chapter 6 - Risk Treatment

Question 1

What are the 4 options for action relating to risks?

Answer 1

• Eliminate (closing part of business or activity)
• Control (remove or reducing)
• Transfer (insurance)
• Retain (tolerate)

Question 2

What is the only certain way to prevent loss from a specific risk?

Answer 2

Avoid the risk entirely

Question 3

What are some methods to eliminate a risk entirely?

Answer 3

• Cease the activity giving rise to the risk
• Change the location the activity is carried out
• Change materials
• Change method

Question 4

What are the downsides of risk elimination?

Answer 4

• Economic costs - inevitably harm earnings of an organisation in the short term.
• Unintended consequences - Could affect the probability or potential severity of another risk

Question 5

What it the most feasible way to avoid risk?

Answer 5

Achieve risk avoidance in the design or planning stage of a new project

Question 6

What 4 broad classes can risk control be divided into?

Answer 6

• Preventative - measures to stop risks happening
• Corrective - limit scope of loss
• Detective - After the event measures to identify when/how an incident happened
• Directive - Controls to ensure a particular aim is realised

Question 7

What are the most common forms of risk controls in organisations?

Answer 7

Preventative controls - designed to reduce the possibility of the undesirable event being triggered

Question 8

What are some examples of preventative controls?

Answer 8

1. Separation of duties - prevents irregularities
2. Limit specified actions to authorised personnel - only suitably qualified and trained people can sign off certain actions
3. Strategic decisions - at highest level of organisation to avoid certain types of activity

Question 9

It can be helpful to think of risk controls as ………

Answer 9

= Barriers
Physical - actual hinderance
Natural - Distance, time & placement
Human Action -
(in order of reliability)

Question 10

What is a corrective control and some examples of them?

Answer 10

= Reduce the losses of adverse risk events that have already happened:
- Contract terms
- Business Continuity Planning - helps in returning to operations as quickly as possible
- Insurance
- Diversification of business -> spreads the risk across the business as unlikely to be affected by the same loss
- Diversification of financial investment risk

Question 11

What is a directive control and some examples?

Answer 11

= Designed to make people behave a specific way, ensuring a particular outcome is achieved… commonly associated with health, safety & security
1. Rules & training for health and safety - PPE/trained to level
2. Procedural manuals, protocols & specifications - checklists, worksheets & test schedules designed to ensure all critical aspects of a task has been completed properly
3. Job descriptions - define responsibilities

Question 12

What is a potential weakness in directive controls?

Answer 12

= Human errors

Question 13

What are detective controls and some examples?

Answer 13

= Designed to identify unwanted occurrence that have already happened
1. Accident investigations (identify root cause & preventative measures for the future)
2. Fraud detection
3. Audits & inspections e.g. errors in work

Question 14

For complex risks, what is often the most effective way to control the risk?

Answer 14

Combinations of different types of controls

Question 15

What is an important when a control is put in place?

Answer 15

The control is proportional (reasonable) in relation to the extent of the risk

Question 16

How can the cost-effectiveness of a control be estimated?

Answer 16

Comparing the severity of an uncontrolled risk (inherent) with the severity of the same risk assuming the controls are in place (residual risk). Difference must be greater than the cost of implementing the control

Question 17

What are the 3 main methods of transferring risk?

Answer 17

1. Insurance
2. Securitisation of the risk
3. Transfer by contract

Question 18

If we own a business and our premises are destroyed
by fire or one of our employees is injured, that risk is ours and cannot be transferred.
However, what we can transfer is the ‘……………………………………………………’ of a risk event occurring.

Answer 18

Financial consequences

Question 19

Are some risk exposures compulsory?

Answer 19

Yes by law some must be insured by third-party insurers e.g. EL, PI & Motor

Question 20

What are some advantages of insurance for risk transfer?

Answer 20

1. Swap an unknown risk for a confirmed premium giving businesses confidence
2. Insurers have wealth of experience in risk and risk funding mechanisms
3. Additional services e.g. risk services
4. Can ‘coinsure’ for high level of sums insured
5. Premiums can be tax deductible

Question 21

What are some disadvantages of insurance?

Answer 21

1. For insurers to assess and cost risk look at the CAUSE whereas organisation looks at SEVERITY so insurers may not be able to cover all possible causes of loss/damage
2. Risk acceptance & pricing can be too short a period of time
3. Insurers cannot offer risks such as brand value (non-financial)

Question 22

What is the securitisation of a risk? and two examples

Answer 22

= Range of instruments that enable an organisation to transfer financial risk to a professional risk carrier (investment & banking world) rather than traditional insurance contract
1. Insurance derivatives
2. CAT Bonds

Question 23

What is an insurance derivative?

Answer 23

A development of a financial derivative which enable someone to buy or sell a specific asset at a specified date in the future for a specified time

Question 24

What is a CAT bond, why are businesses attracted to them?

Answer 24

= Investment bonds that provide a return to investors based on insurance-type events rather than financial market developments. Provide longer term cover (often 3 to 5 years) and make SPECIFIED AMOUNTS on the occurrence of one event (or multiple) happening in that period.

= Can transfer risk portfolios directly into capital markets -> SPREADING RISKS. An alternative if traditional insurance is too expected or does not provide required cover.

Question 25

Why do people invest in securitisation?

Answer 25

Valuable to investors as spread risks of portfolios across markets - SPREADING RISK

Question 25

Why may insurance & reinsurance companies seek to transfer policyholders’ risks by issuing securitised risk products?

Answer 25

String of high level catastrophe losses has exposed inability of insurance market to respond adequately. = Gives access to wider capital source

Question 26

If we are clear what risks we are transferring, recognise legal constraints preventing transfer of certain types of risk, and are careful with contract wording, then transfer by contract is a
viable method of risk transfer - what are some examples?

Answer 26

1. Leases & hiring agreements -
2. Surety agreements - A contract between 3 parties where surety takes risk a principle does not complete contract but can claim back losses from the principle
3. Guarantees - a guarantor
4. Waiver - can sue in breach of contract or tort
5. Indemnity & hold harmless agreement - designed to release from legal claims
6. Disclaimers - notice or statement limiting organisation’s responsibility for certain consequences or harm

Question 27

Even when insurance is available, there may be reasons organisations……….. WHAT……… some risks?

Answer 27

Retain

Question 28

What are the two main types of risk retention?

Answer 28

1. Involuntary (no possibilities for elimantion, control or transfer can fully contain the risk)
2. Voluntary (if exposure is insignificant )

Question 29

If none of the possibilities for elimination, control & transfer can fully triage and treat a risk, what is this risk retention known as and what are some examples?

Answer 29

= Involuntary risk retention
Why?
1. Insurance is not available - not available in the market, cost is too high for scale or risk or the desire to take an opportunity risk
2. Unplanned - did not foresee the risk or inadequate, derives from ignorance or unidentified risks occuring

Question 30

What are 2 reasons for voluntary risk retention?

Answer 30

1. Economic reasons - If commercially insignificant, the cost of insurance could be a waste
2. Managerial reasons - May encourage ownership amongst local risk managers and motivate them to work harder to reduce the risk

Question 31

What are the 6 options for financing risk retention?

Answer 31

1. Non-replacement - absorb losses of income and does not replace asset
2. Current expense - treated as operating costs
3. Contingency reserve - Surplus trading is held in a reserve each year which is equal to expected losses
4. Internal Risk Fund - Separate fund to ensure availability of liquid funds to pay losses
5. Captive Insurance Companies - Inhouse provider insuring its own business, viewed as form of self-insurance
6. Borrowing - can borrow to meet cost of losses

Question 32

When does partial retention occur and what are 4 methods?

Answer 32

= Arises at instigation of the organisation, the insurer, or as a compromise between both parties, e.g.:
1. Indemnity limit - limit per occurrence or time
2. Excess & deductible - organisation pays small amount of losses
3. First-loss cover - Mirror imagine of a deductible. Insurance company pays up to a limit and the organisation pays post that, if occurs
4. Co-payment - policyholder agrees fixed percentage of any loss applied on top of any excess or deductible

Question 33

What are some key considerations for making the right choice with regard to risk treatment?

Answer 33

• Not waste money on unnecessary financing
• Ensure strength of organisation are used for benefit of shareholders
• Avoid retaining single risks large enough to destroy the organisation
• ## Reflect that risks are multi-year and constantly changing

Question 34

Roughly define Business Continuity Management (BCM)

Answer 34

Advance planning for an organisation on what they will do if a major incident/cries occurs - another form of risk control.

Question 35

Does BCM provide valuable preparation for expected & unexpected events?

Answer 35

YES - BOTH
We know a lot of things can happen, just no the where, when and SCALE

Question 36

What do BCM plans include e.g. actions?

Answer 36

= Requisition urgently needed resources, ensure effective control of management of the incident

Question 37

when disaster strikes, a carefully prepared and rehearsed Business Continuity
Management plan will give an organisation an immediate, effective response and prepare
the way for the quickest possible route to a full recovery - what are some examples of low cost and high cost BCM?

Answer 37

Low cost - backing up computer data and storing off-site
High - contracts for stand-by machinery, physical locations and detailed recovery plans and exercises for all staff

DOESNT HAVE TO BE COSTLY TO BE EFFECTIVE THOUGH

Question 38

How has globalisation influenced BCM?

Answer 38

More interconnected so BCM need has become greater - cannot only consider own organisation but also supply chain disruptions at any stage

Question 39

A BCM programme is a mix of ….. & …… actions? Fill in the gaps

Answer 39

Core and facilitating
= An ongoing action which can never be regarded as complete, it not a linear process with beginning and end

Question 40

What are examples if core actions in a BCM programme?

Answer 40

1. Crisis Management Planning - who does what in the immediate emergency?
2. Continuity Planning - how do we week the business running & return to normal operations ASAP?
3. Recovery Planning - how to get back to normal, pre-loss business levels

Question 41

What are examples of ‘facilitating actions’ in a BCM programme?

Answer 41

• Impacts of disruption & survival priorities = starting point & originate from risk register and business impact analysis
• Exercises and tests - ensure it work
• Evaluation & improvement - corrective additions from audit & review
• Leadership & support - needs people with appropriate knowledge and experience in place to contribute

Question 42

Are there internationally recognised BCM standards?

Answer 42

YES
1 = International Organisation for Standardization’s ISO Business Continuity Management is a widely adopted standard internationally e.g. UK’s British Standards Insitute
2 = Larger organisations can choose to the ‘certified’ following detailed inspections from industry bodies
3 = Professional bodies now offer certification to professionals working for an organisation

Question 43

Roughly define resilience, what it means and the difference between resilience and BCM

Answer 43

= Broader concept with a focus on encompassing all of the critical process that together produce the output of an entire organisation - about building capacity to step back from ‘business as usual’ to be alert for changes in the external environment and prepared for possibility of disruption.

Difference is BCM is focus on immediate response to an incident and speedy recovery whereas resilience is being alert and early preparation of the possibility of new events that could disrupt the organisation

Question 44

What are some examples of embedded behaviours which build resilience?

Answer 44

• Capacity to respond to stress scenarios
• Ability to maintain key services for clients
• Training of staff and preparation for bad situations
• Willingness to learn from past mistakes
• Efficient communication
• Proactive culture to managing risks

Question 45

What are some benefits & drawbacks of BCM?

Answer 45

1. Inspire trust in ability to continue operations during a disruption
2. Reputation
3. Regulatory Requirements
4. Reduce cost of disruption
5. Create competitive advantage

Bad = incurs cost of specialist skills & requires time and support from busy leaders & workers

Question 46

What must all aspects of risk control be on a regular basis?

Answer 46

Reviewed

Question 47

Why is it important to evaluate risk controls?

Answer 47

To ensure they remain effective in controlling the risk to the intended standard and that it is financially cost-effective

Can learn that some controls are unnecessary and inappropriately complex and can be modified

Question 48

Who generally will assess and monitor risk controls of an organisation?

Answer 48

Part of the role of an internal audit team and have developed specialisms in this.

Question 49

What is a useful tool to prompt the review of risk controls and progress reports?

Answer 49

A risk register