ERM Chapter 13 Flashcards
Describe a six step process designed to produce and maintain a comprehensive identification and initial assessment of the risks faced by a business.
- Business analysis - ensure the company has clear business objectives. Analyse its operations and wider environment. The business analysis will involve looking at:
- the business plan
- the company’s structure and its system of internal controls
- current and projected accounts and accounting ratios
- market information, such as competitors actions and market share
- the resources available to the company
- legislative and regulatory constraints
- the general economic environment - Identify the risks (upside and downside) the company faces in a structured way. The starting point for this will be a review of the findings of the business analysis to identify any areas of risk, uncertainty or opportunity.
- Obtain an agreement on the risks faced, the relationships between them, and identify individuals who will be responsible for each risk and its management.
- Evaluate the risks in terms of their likelihood and severity. This might be done both gross and net of existing controls. This enables risks to be prioritised for further implementation of control.
- Produce a risk register to record the results of this process in one place.
- Review the risk register regularly, and especially in times of change, to ensure that it remains up to date and reflects the current risks faced by the company.
What are the benefits of risk identification and assessment?
- enhances awareness and transparency of risks in the organisation
- helps transfer knowledge and improve understanding across the company
- acts as a firm base for subsequent risk analysis, quantification and prioritisation
- enhances the quality of reporting to the board and senior management
- hence, helps improve business decisions
Outline necessary conditions to gain benefits from risk identification and assessment.
- have senior sponsorship of the RM programme
- be consistent on the standards used over time
- ensure quantitative and qualitative data is used to develop a comprehensive risk profile for the whole organisation
- integrate risk identification with the entire RM process
- demonstrate added value
Outline six tools used in the risk identification process.
- SWOT analysis - considers the strengths, weaknesses, opportunities and threats of the organisation
- Risk checklist - a list of risks identified on past projects or initiatives the company has undertaken or from an external source. Care must be taken to ensure information is relevant and up-to-date.
- Risk prompt list - a list of different categories of risks to consider and examples of each. Potentially produced at an industry-wide level by a supervisory authority.
- Risk taxonomy - a structured way of classifying risks and breaking them down into components. Helps to ensure those involved in the process have a common understanding of terms used in the risk identification process. Less project specific than a checklist and less industry specific than an industry prompt list.
- Case studies - examining case studies can help to understand the impact of risks in a specific context.
- Process analysis - by constructing flowcharts of business processes, and the links between them, it is possible to identify the risks that occur at each stage. Particularly suited to operational risks.
Stage a potential advantage and disadvantage of each of the six risk identification tools.
They all provide a clear structure for the risk identification process. This may improve the quality of the output, but the result may still not be comprehensive.
Outline techniques used in the risk identification process. Provide a disadvantage of each technique.
Brainstorming - gather a group of people together and generate ideas in a freeform way. Often facilitated by an external consultant, this requires all participants to be in the same room at the same time.
D: Poorly run sessions run the risk of convergent thinking or incomplete or biased identification of risks. Diversity of participants should exist to counter this.
Independent group analysis - each risk is presented by a member of the group and then discussed by the group. An agreed list of risks is ranked independently by each member and combined to form an overall ranking.
D: An unbalanced group (e.g. all marketing execs) could provide a biased list of risks and rankings.
Surveys - rather than gathering people together, using online or postal surveys can generate a wide range of ideas cheaply and without collusion of participants.
D: The risk of framing, whereby the way the question is asked influence responses.
Surveys also suffer from poor response rates,
The quality of the survey is only as good as the quality of design and response data. Multi-choice surveys are easier to analyse but limit the range of responses.
Gap analysis - particular type of questionnaire designed to identify the company’s current and desired risk exposures. Although the board is best placed to identify desired risk exposures, line management may be best placed to identify current risk exposures.
D: May be difficult and costly to engage the board and line management in such an exercise consistently.
Delphi technique - structured communication technique where questions are answered in two or more rounds. After each round a facilitator provides a summary of the output from the previous round as well as reasons for this judgement. Participants then revise their answers in light of the reply, in the hope that the range of answers will decrease and the group will converge to a common consensus.
D: Time consuming and therefore costly, especially if an external facilitator is required.
Interviews - individuals are interviewed and results collated, normally by an independent, external reviewer.
D: Can be time-consuming, leading to restrictions on the number of interviews that can be conducted. Involving multiple interviewers can lead to inconsistencies.
Working groups - small number of interested individuals are tasked with considering a specific risk or group of risks.
D: If members are specialists, as is normal, then identification can be narrow rather than comprehensive. Specialists may also work at a higher level of precision than is cost justified.
Describe the key elements of a risk register.
- a labelling or numbering system so that risks can be easily identified
- a category of risk e.g. credit risk
- a description of each risk that is clear and understandable to all
- an initial assessment of the likelihood of the risk occurring, its impact, and the timeframe over which it is applicable
- the risk response action, its cost and expected residual/secondary risks
- individuals involved in monitoring and managing the risk e.g. the risk owner
- document control information, so it is clear when it was last updated and by whom.
Outline the seven risk concepts
- Exposure - the maximum loss that can be suffered if an event occurs
- Volatility - a measure of variability within the range of possible outcomes
- Probability - the likelihood that an event occurs
- Severity - the loss that is likely to be incurred if an event occurs
- Time horizon - the length of time for which an organisation is exposed to a risk, or time required to recover from an event
- Correlation - the degree to which differing risks behave similarly in response to common events
- Capital - capital is held to manage cashflow, facilitate growth/new ventures, and to cover unexpected losses arising from exposure to risks.
Outline initial risk assessment techniques for likelihood/severity.
Categorisation - decide whether the probability of an event occurring falls within some pre-set categories. Number of categories defined depends upon the level of accuracy required and the extent to which they can be accurately estimated. e.g. 0-25/25-50, low/medium/high
Probability distribution - specify a probability distribution for certain events. Maximal data will allow fairly sophisticated distributions e.g. exponential, while minimal data will allow simple distributions e.g. triangular or uniform.
Risk mapping - technique used to illustrate the effect a risk might have on an organisation. Each risk is plotted on a graph known as a risk map, with axes measuring the likelihood and severity of risks. It is important to include all risks faced by the whole enterprise and bring them together on a consistent basis for a fully comprehensive risk map.
What are emerging risks, and why are they so important?
Emerging risks are developing or already known risks which are subject to uncertainty and ambiguity and are therefore difficult to quantify using traditional risk assessment techniques. It can represent a change in nature of an existing or known risk, or the development of a new risk.
They are important since knowledge of these risks will influence corporate strategy, may affect the profitability of the organisation, and may yield opportunities for a new product.
Outline four key inter-related trends that give rise to RM challenges.
- Globalisation - the increased interdependency of the world’s economies and markets
- Technology - new operational risks arising from technology-driven business
- Changing market structures - as markets are deregulated and privatised
- Restructuring - the effects of mergers & acquisitions, joint ventures, outsourcing and business re-engineering
Give examples of potential emerging risks in the current environment.
- significant shifts in power between the world’s economies
- contagion in asset markets
- insurance claims from unexpected sources such as developments in nanotechnology, high levels of mobile phone usage, driverless vehicles, climate change, and shift in level and sources of terrorism
- use of social media changing the way information is stored and distributed
- rapid changes in the nature and sources of cyber risk
- unexpected behaviour of financial guarantees embedded in products
- non-linear dependencies between current risks
Outline cyber risk.
Any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure in its information technology systems.
Risks include hacking, security breaches, espionage, data theft, extortion, privacy breaches and cyber terrorism.
Implications can include business interruption, reputational damage and legal liability, with associated costs of communication, resolution, compensation, loss of business and possibly fines and legal costs.
Controls include having strong IT security, including firewalls and malware protection, clear policies and governance for users, and incident management processes. It may be possible to purchase cyber insurance to cover losses relating to damage to, or loss of information from, IT systems and networks.
Outline key factors in the identification and analysis of emerging trends.
- a more holistic view is initially required for emerging risk identification, considering all possible impacts of the emerging risk
- a key tool in identification is horizon scanning, which is the systematic search for potential developments in the long-term, with emphasis on those changes that are at the edge of current thinking
- can be identified via the use of experts (costly, may be unavailable), relevant external sources such as academic journals and websites
- continual monitoring of developments in relevant research is important to refresh decisions made on emerging risks
- an analysis of trends is important, as is the need to monitor regulatory and lobbying activity in that sector
How might bias arise?
- Intentionally - a manager deliberately underestimates a risk to achieve a specific personal goal, such as forwarding their own career or avoiding scrutiny of the RMF
- Unintentionally - a manager inaccurately assesses a risk due to lack of experience or time