Enterprise Risk Management Flashcards
Silo Risk Management
Lack of communication where departments handle their risks separately.
This results in a lack of the bigger picture for the interrelations between departments, and the CEO might lack sufficient information to make strategic decisions.
Enterprise Risk Management
Consists of three components:
- Governance
- Communication (information flow & reporting)
- Responsibility (accountability & authority)
- Monitor and review (KRIs)
- Strategic
- Strategically manage risk
- – Identify sweet spot for risk taking, risk management not minimization)
- – Identify risk profile, tolerance, appetite, and capacity
- Management of strategic risks
- – Strategy development and the risk management process
- Integrated
- Across integration – portfolio view
- Top down integration – integrating risk culture into organisational culture
The Risk Management Process
Identify
Analyse (probability x consequence)
Act/Risk Response (avoid, transfer, mitigate, accept)
Monitor (monitor the risk response)
Control (assess effectiveness and efficiency)
Categories of Risk
- Diversifiable (idiosyncratic) VS non-diversifiable (systematic)
- Core (must bear to operate and thus information in needed) VS non-core (not in the business of bearing).
Event driven risks
A way of defining risks, where a type of event triggers loss or gain
Typical risk event classifications
- Financial events
- Operational events (supplier problems, loss of personnel, IT system failure)
- Strategic events (demand changes, those that affect or are created by strategic business decisions)
- Compliance events
- Hazard events (political, terrorism, natural disasters)
How does traditional versus modern risk management view risks in relation to uncertainty and opportunity, and how are they focused on core versus non-core risks?
- Traditional – risks as calculable (probability based) and negative. Focus on non-core risks
- Modern – risks are beyond those that are calculable, are negative AND positive. Focus on core business/strategic risks.
(Both uses event driven definitions)
Operational Risks
What’s going to stop us from operating properly
“Bottom up”
Short to medium term scope
Often calculable
Strategic risks
What’s going to stop us from pursuing the strategy we’ve set and achieve our objectives
“Top down”
Long term scope, often on the more uncertain side
Strategic Risk Management process
- Assess existing strategic risks
- Reassess strategy and objectives
- Set new strategy and objectives
- Identify new strategic risks
(Do we have the appropriate strategy and business model given the risks we’re facing?)
The two aspects of Strategic Risk Management
- Strategically managing risks
- Identifying the “sweet spot” for risk taking (risk management NOT minimization)
- Firms should identify risk their profile and determine tolerance, appetite and capacity - Management of strategic risks
- Strategy development and the risk management process
A portfolio view allows organisations to observe risks that: (INTEGRATED)
- Increase in severity when consolidated
- Decrease in severity when consolidated
- Offset other risks by acting as natural hedges
- Demonstrate a positive or negative correlation to changes occurring in the severity of other risks
Two aspects of Integrated Risk Management
- “Across” integration – portfolio view
- “Up and down” integration – integrating risk culture into organisational culture
How is risk culture formed? (INTEGRATION)
Risk attitudes of the individuals (averse, neutral, seeking) shapes risky behaviour, which in turn forms risk culture. Risk culture then influences both risk attitude and behaviour
Mutually amplifying risks (INTEGRATED)
When a risk does not seem too bad by its own. However, when considering the risk’s interrelation to other risks the impact is more frightening
