Evaluating and reporting risk

Question 1

What are the 6 techniques for identifying risk events?

An organisation’s choice of techniques will depend on what? (4)

What is the purpose of risk identification?

Why are analytical techniques generally seen as better?

Answer 1

1. Expert judgement
2. Focus groups and surveys
3. Checklists
4. Physical inspections
5. Analytical approaches = SWIFT, Delphi, Root-cause analysis, and system and process mapping
6. Loss event and near-miss investigations

Depends on the nature, scale and complexity of its activities, as well as regulatory requirements

= to determine the nature of risks and the specific types of risk event that may occur

They use a range of research and logic structuring methods to make risk identification more scientific and less prone to human error.

Question 2

TECHNIQUES FOR IDENTIFYING RISK EVENTS - EXPERT JUDGEMENT

What does expert judgement rely on?

Name an example.

What are the two types of experts?

Who is it helpful to have work with an expert?

What is the advantage?

What is the disadvantage?

Answer 2

Relies on skills and experiences of relevant specialists, either in isolation or working as a group

E.g., IT specialist should have a good understanding of the types of IT-related risk events to which an organisation may be exposed

Internal and external = most organisations will use their own internal specialists to provide expert judgement, but in some circumstances external experts (RM consultants) may be used

Helpful to have a facilitator to work with experts to help them identify all relevant risks
= the facilitator may be an internal risk specialist or an external consultant

Advantage = using 1 expert is cost effective in terms of time

Disadvantage = possibility that the expert may miss something important or exhibit some form of perceptual bias

Question 3

TECHNIQUES FOR IDENTIFYING RISK EVENTS - FOCUS GROUPS AND SURVEYS

Who might focus groups comprise of?

What is the main idea behind a focus group?

What is the advantage?

What is the disadvantage?

What is a risk survey?

What are the 2 types of risk surveys?

How can they be created?

Answer 3

May comprise a mix of specialists (IT, finance and HR specialists) and include functional and departmental managers (operations managers or marketing managers)

Idea = to share a range of different perspectives and experiences to achieve a consensus view

Advantage = should ensure that a greater number of relevant risk events are identified

Disadvantage = focus groups take up more specialist or management time due to the greater number of people involved

Risk survey = relevant specialists and managers are asked a series of questions and their responses are consolidated and analysed to identify relevant risk events

1. Simple survey = may ask respondents to list the risk events that they believe could occur or may provide a checklist of potential risk events
2. More sophisticated = may ask about how organisational processes and procedures are designed and controlled to identify the potential sources of risk events

May be created by internal or external RM specialists

Question 4

TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS

What is a risk checklist?

When are they used and why?

How may a checklist be drawn up? (2)

What is an example and an advantage of the second way?

What are 2 positives and 1 negative of more detailed checklists and what does this mean for an organisation?

Answer 4

Provide a prepared list of potential risk events

Used to support other risk-identification approaches = expert judgement, focus groups and surveys

Why = ensures that particular types of risk event are not forgotten and that all relevant sources of risk are given consideration

An organisation may draw up its own checklists based on their past experience of risk events, or use checklists provided by an external agency e.g., Basel loss event types

Advantage = external agency is able to learn from experience of multiple organisations

Positives:
1. Facilitate more targeted risk assessment monitoring and control activities
2. Reduce the chance that important risk events may be overlooked

Negative = increase the amount of time that must be devoted to risk identification

Organisation must balance the costs and benefits of more or less detailed checklists and choose the approach that works best for its circumstances

Question 5

TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS

What are the 6 benefits of checklists?

Answer 5

1. A cheap and efficient way of collating large amounts of information
2. Simple and easy to use = ensures that relevant sources of risk are not missed
3. A useful way of updating information for current use and for monitoring trends against previous surveys
4. Can be adapted to individual areas of risk focus (H&S, environmental)
5. Useful for putting diverse sources of information into a common format
6. Can be used to provide evidence of compliance with relevant risk-management regulations

Question 6

TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS

What are the 6 disadvantages of checklists?

Answer 6

1. Can be used by someone who may not be skilled in the subject of the checklist
2. Can be completed by someone who may not understand precisely the objectives and ultimate use of their answers
3. Can focus the user’s attention simply on completing the checklist, causing the task to be seen as just a ‘form filling’ exercise
4. May be ambiguous to the reader, however careful the design
5. May be completed too quickly, and therefore without much thought, by someone who considers that their own time is better spent elsewhere
6. May be completed by someone who has their own reasons for suppressing risk information

Question 7

TECHNIQUES FOR IDENTIFYING RISK EVENTS - PHYSICAL INSPECTIONS

Which types of risks are physical inspections commonly used to identity/asses?

Who completes physical inspections?

Inspections are often supported by the use of what?

What is the advantage?

What are the 4 disadvantages?

Answer 7

H&S related risks or risks relating to fire and other physical hazards

Usually completed by qualified risk-identification specialists = building surveyor, fire-safety professional or H&S expert

Use of questionnaires or checklists to ensure that nothing important is missed

Advantage = someone with specialised knowledge can take a professional view of what is there + a formal inspection report will normally conclude with recommendations to improve the control environment and reduce the probability and impact of loss

Disadvantages:
1. Only faults visible on day are examinable
2. Expensive
3. Third party risks not fully assessable by inspections
4. RM is the responsibility of all employees - possible erroneous view that risks are transferable to inspector

Question 8

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT

What is SWIFT?

When is it commonly used

What does the technique rely on and what is it often supported by?

What does the SWIFT leader do?

What does the SWIFT recorder do?

What are the advantages? (3)

What is the disadvantage?

Answer 8

the Structured What-If Technique = a systematic, team-oriented technique
= uses a series of structured ‘what-if’ and ‘how-could’ type questions to consider deviations from the normal operation of systems and processes

Commonly used for the identification of H&S and environmental-related risks

Relies on expert input from the team to identify risk events, supported by checklists

The SWIFT leader’s function is to structure the discussion

The SWIFT recorder keeps an online record of the discussion on a standard log sheet

Advantages:
1. no standard approach = flexible (can be modified to suit each individual application)
2. more likely to identify all relevant risk events (hence used in more hazardous sectors to ensure all risks are identified)
3. is efficient = generally avoids lengthy discussions of areas where hazards are well understood or where prior analysis has shown no hazards are known to exist

Disadvantage = expensive to use because of the amount of time and people involved

Question 9

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT

What are the common 6 steps in the protocol for the SWIFT analysis of a risk event?

Answer 9

1. Define the systems/processes being analysed and consider each in turn
2. List possible risk events and put them in logical order for discussion – start with major events
3. Consider each risk in turn and each possible cause of the risk event
4. Consider the consequences and safeguards to be put in place
5. Record discussion on SWIFT log sheets
6. Reconsider if any risk events have been overlooked/omitted and use checklists/previous experience to check for completeness

Question 10

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI

What is the Dephi technique?

How does it work? (3)

What is the advantage? (2)

What is the disadvantage?

Answer 10

= an information-gathering tool that is used to reach a consensus of experts on a subject (risk events)

1. Each expert participates anonymously and a facilitator uses a questionnaire to solicit ideas about the important points
2. The responses are summarised and re-circulated to the experts for further comment.
3. Consensus may be reached in a few – or many – rounds of this process

Advantages = (1) helps reduce bias and keeps any one person from having undue influence on the risks that are identified
(2) the technique can be effective at predicting risk events

Disadvantage = it is time consuming, especially if a consensus is hard to reach

Question 11

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI

What are the common 5 steps in the procedure?

Answer 11

1. Agree what is to be analysed (function, department, project, or process)
2. Select panel of experts (keep membership anonymous)
3. Send background info and questionnaire that asks them to identify relevant risks
4. Facilitator complies responses then sends out to experts for their review and comment
5. Repeat until consensus reached

Question 12

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE

What is root-cause analysis?

What might it be applied to?

What assumption is it based on?

What are the 2 advantages?

What is the disadvantage?

Answer 12

= focuses on investigating the root cause of risk events

May be applied to hypothetical risk-event scenarios or actual risk events that have occurred, either within the organisation or in similar organisations

Based on the assumption that many risk events have multiple causes
E.g., a fire risk event needs material to burn, a spark and oxygen before it can cause damage

Advantages:
1. Root-cause analysis adds depth to the identification of risk by exploring how and why the event may occur (If organisation can prevent causes = prevent risk event from occurring)
2. A good technique to use when investigating the causes of large or negative events to prevent it happening again

Disadvantage = time consuming = rarely practical or cost effective

Question 13

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE

Root-cause analysis approaches vary but are based on what four principles?

How are the causes and order of an event often identified?

What is the 5 whys technique?

Answer 13

1. Identify the causes of the event
2. Establish the timeline from normal operations to a risk event
3. Distinguish between root causes and more immediate causes
4. Use the results to improve controls and to help manage future risk events

The causes and order of an event are often identified using the ‘5 whys’ technique

5 whys technique = usually possible to get to the root cause in 5 questions:
1. Why did a fire occur?
2. Why did the material burn?
3. Why did the spark occur?
4. Why did the electrical fault occur?
5. Why was the wiring old? = not safety inspected

Question 14

TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SYSTEM AND PROCESS MAPPING

What is systems and process mapping? (2)

What is a common investigation technique?

What does fault tree analysis try to identify?

What does it begin with?

What is the aim of fault-tree analysis?

What is the advantage if a fault-tree?

What is the disadvantage?

Answer 14

1. involves putting all of an organisation’s systems and processes into flow charts
2. Flow charts are then investigated to identify potential sources of risk to the various systems, processes, activities or objectives

A common investigation technique = fault tree analysis

Fault tree analysis tries to identify potential system or process failures (risk events) and then looks backwards to search out the possible causes of that failure

Fault-tree analysis begins with each element in a system or process flow and then considers what might happen if this element fails

Aim of fault-tree analysis = to identify key points of failure and whether these can be overcome by adapting other parts of the system of process flow
○ Fault trees can be long or short, simple or technical

Advantage of fault-tree approach = can highlight and link connected risk events that could combine to cause much larger risk events

Disadvantage = takes lots of time and money

Question 15

TECHNIQUES FOR IDENTIFYING RISK EVENTS - LOSS EVENT AND NEAR-MISS INVESITGATIONS

What is a loss event?

Name an example.

Why should loss events be investigated?

What are near misses?

Name an example.

Why should near misses be investigated? (2)

Answer 15

Loss event = risk events that result in monetary or non-monetary losses

E.g., faulty machinery, liability claims, adverse media attention, or employee injury

Are learning opportunities = organisation may decide to identify the cause and help prevent more serious risk events in the future = investigations could help to identify new risks & signify an increase in exposure

Near misses = risk event occurs but doesn’t result in loss = events that should have resulted in a financial or non-financial loss, but for one reason or another did not

E.g., a small fire that is extinguished before damage can be done

Near misses are important learning opportunities.
1. The next time they occur, an actual loss may be incurred.
2. It is important to learn from the near miss to help prevent future occurrences.

Question 16

IDENTIFIYING EMERGING RISKS

What are emerging risks?

How are they categorised?

Name 3 examples of current emerging risks.

What are the 3 techniques for identifying emerging risks and why are these techniques important?

Answer 16

Emerging risks = either significant new risks, or risks that were known about previously, but which were not considered to be significant

Emerging risks are characterised by high levels of uncertainty = there is not yet much experience gained = can be ignored or over- or underestimated

1. cyber risks such as ransomware
2. other examples are linked to political uncertainty (such as Brexit)
3. global warming (the rise in severe weather events)

A. PEST analysis
B. SWOT analysis
C. World Economic Forum Global Risk Report

Techniques for identifying emerging risks can help to prevent them from being ignored or underestimated

Question 17

IDENTIFIYING EMERGING RISKS - PEST ANALYSIS

What is PEST analysis and an example of each?

PEST analysis is usually completed by who?

What may be used to support PEST analysis?

Answer 17

= analyses changes in political, economic, social, and technological changes

Political change = change in legislation and regulations or changes in political philosophies e.g. Brexit

Economic change = periods of high or low inflation or interest rates

Social and technological = rise of internet and smart phones and social media leading to increase risk of cyber security and reputation

PEST analysis is usually completed by a group of participants but also common for the board to be involved where large-scale emerging risks can have a far reaching strategic impact

Analytical tools like the Delphi technique may be used to support PEST analysis

Question 18

IDENTIFIYING EMERGING RISKS - SWOT ANALYSIS

What is SWOT analysis?

What is the process? (3)

Answer 18

Strengths, weaknesses, opportunities, and threats analysis = a strategic tool used to identify business objectives and emerging risks

1. Begins by identifying an organisation’s strengths and weaknesses
   e.g., its finances, abilities of key personnel, market power, efficiency/inefficiency of operations
2. Focus then shifts to identifying potential opportunities and threats which may be on the horizon
   E.g., consumer demand, distribution channels system ad process innovation
3. An organisation’s strengths and weaknesses are compared to identify opportunities that may be exploited and threats to existing objectives that need to be addressed

Question 19

IDENTIFIYING EMERGING RISKS - WORLD ECONOMIC FORUM GLOBAL RISK REPORT

What is the annual World Economic Forum Global Risk Report?

Name 3 of the top risks in the 2023 report.

Name 2 previous topic risks.

Answer 19

= a useful source of current and emerging risks = report provides a strategic view of risk supplemented by in-depth analysis of specific ‘hot topics’

Top risks from 2023 were:
1. Cost of living crisis
2. Extreme weather events
3. Widespread cybercrime

Previous topics = pandemic (2021), natural disasters (2018)

Question 20

RISK-ASSESSMENT TECHNIQUES

What do risk-assessment techniques do?

Which ISO standards provides guidance on the use of the main categories of risk-assessment techniques?

What are the 3 risk-assessment techniques?

Answer 20

Assess the probability and impact of a risk event to help determine the level of exposure

ISO 31010:2009 ‘Risk-management – Risk Assessment

1. Quantitative
2. Qualitative
3. Hybrid (stress testing and scenario analysis)

Question 21

RISK-ASSESSMENT TECHNIQUES - QUALITATIVE

What does qualitative risk assessment involve?

What techniques are used?

What is the dominant qualitative technique?

What other terms could be used?

Why is it important that the order or magnitude is clear?

Answer 21

Involves a significant degree of judgement

Similar techniques to those used for risk identification are often used, including expert judgement, focus groups and surveys

Dominant qualitative technique = estimate probability and impact using an ordinal scale:
1 = Low
2 = Medium
3 = High
(Data is shown in order of magnitude only, meaning that 2 is larger than 1)

Some organisations may use words to describe the level of probability and impact e.g., ‘almost certain’, ‘severe’ or ‘extreme’ for higher values or ‘minor’, ‘insignificant’ and ‘negligible’ for lower ones

Terms used are not important, as long as their order of magnitude is clear = is common practice to provide definitions for the terms chosen = help improve the accuracy and consistency of risk-assessment activities across an organisation

Question 22

RISK-ASSESSMENT TECHNIQUES - QUALITATIVE

What are the 2 levels of assessment that may be performed in qualitative risk-assessment?

Why?

What is the final extension in a qualitative risk-assessment?

What is important to stress?

What is the strength of a qualitative risk-assessment technique?

What are the 2 weaknesses?

Answer 22

Two levels of assessment = one for inherent risk and another for residual risk

One for inherent risk = to show the potential exposure to risk, should controls not be in place

One for residual risk = to show the current effectiveness of the controls that have been applied

A final extension combines probability and impact to arrive at an exposure score
= Usually the ordinal values are multiples together to arrive at an order of magnitude for exposure
* E.g.,
Negative Impact →
Probability↓ 1 2 3
1 1 2 3
2 2 4 6
3 3 6 9

It is important to stress that these are ordinal values = an exposure value of 9 is larger than 6, but not known by how much larger

Strength = Do not need data (unlike quantitative techniques)
Weakness = (1) much more subjective compared to quantitative techniques and (2) can only provide an order of magnitude for probability and impact rather than a precise measurement

Question 23

RISK-ASSESSMENT TECHNIQUES - QUANTITATIVE

What is quantitative risk-assessment?

With quantitative methods, it is possible to do what? (2)

What principles does quantitative risk assessment use?

Is quantitative risk-assessment superior to qualitative procedures? / what are the strengths? (2)

What are the 2 problems/weaknesses?

Where is quantitative risk assessment most used?

Answer 23

= applies a standard of measurement to probability and impact to allow a more precise and objective analysis of risk

Possible to:
A. determine how much bigger a given probability or impact value is than another
B. model an infinite number of probability and impact combinations

Uses the principles of statistical analysis.

In theory, yes:
(1) is mathematically precise
(2) does not rely on subjective judgement = uses historical data

In practice, quantitative risk assessment is problematic:
1. Require large amounts of historical data to work effectively = data is not always available
2. There is no guarantee that what has happened in the past will happen in the same way in the future

Used most in the financial services sector for assessing financial risks (e.g., market and credit risk) where data is plentiful (although financial crisis was not predicted!)

Question 24

RISK-ASSESSMENT TECHNIQUES - HYBRID

What are hybrid approaches to risk assessment?

What is the aim?

What are hybrid approaches used for?

What are the 2 types of hybrid approaches?

Answer 24

Hybrid approaches combine elements of quantitative and qualitative risk assessment

Aim = to provide a relatively consistent and objective method for assessing risk, which does not rely on large amounts of data

Hybrid approaches are used for extreme risk events, meaning those with a low probability, but a high impact (whether positive or negative)

1. Stress testing
2. Scenario analysis

Question 25

RISK-ASSESSMENT TECHNIQUES - HYBRID - STRESS TESTING

What is stress testing?

What are 3 common variables?

What are the 2 advantages?

What is reverse stress testing?

What are the 2 approaches to reverse stress testing?

Answer 25

= involves assessing the impact that extreme movements in key financial variables may have on an organisation, either in isolation or together

Common variables include: (1) a fall in income (2) rising inflation (3) rising or falling interest rates

Advantages:
1. Stress testing is a good way to assess the financial strength of an organisation, especially when faced with extreme events
2. It can help an organisation to prepare for extreme events should they occur, helping to reduce the chance of significant financial distress or bankruptcy

Reverse stress test = establishes the point at which an organisation’s objectives are no longer achievable
= a useful tool for corporate financial resiliency planning

2 approaches to reverse stress testing:
(1) Define a series of events, which will cause the business plan to fail, then measure the implications on the business plan for each of the identified events

(2) Start with the income statement and balance sheet and investigate each line item —-> Identify the factors that would affect that line item to such a degree that the business plan fails or the organisation becomes insolvent

Question 26

RISK-ASSESSMENT TECHNIQUES - HYBRID - SCENARIO ANALYSIS

What is scenario analysis?

What are the 2 principal types of scenarios?

What are the 2 disadvantage?

What are the 3 advantages?

Answer 26

= relevant experts and managers determine plausible but extreme future scenarios and then assess the impact on an organisation should the scenario manifest itself

1. Single variable scenarios = focus on specific event or occurrence = looks at both the possible frequency of occurrence and impact from that single event
2. Multi-variable scenarios = examine the occurrence of multiple inter-related events (that may occur at same time or as a chain of linked events)

Disadvantages = time consuming and may involve a number of functional specialists and managers

Advantages:
(1) Can help organisations to anticipate and prepare for extreme scenarios
(2) Especially well-suited to testing business continuity plans and for estimating the maximum level of loss = can help determine the level of insurance cover
(3) Can determine more accurate probability and impact values for extreme events = allow an organisation to rank scenarios in order of significance = allows scarce management and control resources to be utilised effectively

Question 27

THE RISK REGISTER

What 2 tools are used by organisations to store and monitor the results of their risk-assessment activities?

What is a risk register?

What is important to ensure?

How often is a risk register updated?

What 5 things may a simple risk register include?

Answer 27

Risk registers and risk and control self-assessments

A spreadsheet or database application used to store information on risk events that have been identified and assessed

Important to ensure that data is collected and organised in a way that allows data to be aggregated across different registers
(Most organisations have 1 or more risk registers)

Updated on a regular basis – typically monthly/quarterly (depends on how often rusk exposure changes)

1. a description of the risk event that has been identified;
2. the risk category that the risk event is linked to;
3. the person responsible for managing the risk event on a day-to-day basis, often known as the risk owner;
4. a qualitative probability and impact assessment of the risk event; and
5. any actions currently under way to control the probability or impact of the risk event.

Question 28

THE RISK REGISTER

Name 5 things that a more comprehensive risk register may include.

Answer 28

1. a qualitative probability and impact assessment of inherent risk;
2. a qualitative probability and impact assessment of the residual risk;
3. information on the potential causes of the risk event;
4. information on the potential financial and non-financial impacts of the risk event;
5. Any risk metrics that are used to monitor exposure

Question 29

RISK AND CONTROL SELF-ASSESSMENTS (RCSA)

What is a RCSA?

What does it provide?

What is a key output?

What can a RCSA be used to support?

What will RCSA documentation include?

What is the assessment used for?

What is it common to link in a RCSA document and why?

Answer 29

= a process that combines risk identification, qualitative risk assessment and an assessment of control effectiveness.

Provides a systematic means for identifying control weaknesses and gaps that may threaten the achievement of an organisation’s objectives or the operational efficiency of its systems and processes

A key output = the production of action plans that help to allocate scarce resources to address control gaps or weaknesses (where the benefits of doing so exceed the associated costs of increased control)

Can be used to support internal audit and governance activities

Include the typical components of a risk register, plus an assessment of the effectiveness of the controls that are in place
= This assessment is used to estimate the residual risk exposure

It is common to link risk events to organisational objectives in a RCSA document = ensures the effect that a risk may have on an organisation’s objectives is understood and supports the board in its governance responsibilities

Question 30

RISK REPORTING

Why does risk reporting exist?

What is the single best approach to the design or presentation of risk reports?

What is RAG Reporting?

What are the 3 categories/levels?

Answer 30

Effective risk reporting exists to support decision-making in an organisation = decision-makers need information on the nature and extent of risks to make the best possible choices

There isn’t one, nor is there an optimum number of risks to report = best approach is context-specific and will depend on the nature, scale and complexity of an organisation’s activities and risks

RAG = red, amber and green system used to help prioritise risk exposure, control weaknesses, internal audit issues etc.

Red = The level of risk exposure is very high (or low) and could threaten the achievement of an organisation’s strategic objectives
=Immediate action is required on the part of management to manage the risk in question

Amber = The level of risk exposure is higher/lower than normal
= Management attention is required to determine whether action needs to be taken in the near future

Green = The level of risk exposure is within normal parameters
= No action is required – the risk is under adequate control

Question 31

RISK REPORTING TOOLS

What are the 5 common risk reporting tools?

How will an organisation select which tool to use?

RISK EVENT AND NEAR MISS DATABASES

What may an organisation report?

What if there is sufficient data?

What is the benefit of this?

Answer 31

1. Heat maps
2. Risk event and near miss databases
3. Risk, control and performance indicators
4. Risk dashboards and balanced scorecards
5. Narrative reporting

An organisation will select these tools based on regulatory requirements and the needs of their decision-makers

Organisations may report the number of risk events or near misses, as well as the value of any financial or non-financial loss

If there is sufficient data, it may be possible to provide reports by risk category or business unit and function
= can help to focus management attention on key categories of risk or high-risk business units and functions

Question 32

RISK REPORTING TOOLS - HEAT MAPS

What are heat maps?

What types of heat maps are there? (2)

What size should a heat map be?

What is an objective heat map?

Answer 32

Use the concept of RAG reporting, but may add black to show extreme risks and blue for insignificant risks

(1) some show the status of risk, control, or performance indicators
(2) others are used to show trends in risk exposure

Large ones can be difficult to interpret, but smaller ones can help management focus on the most significant risk exposures or control weaknesses (red/black or amber)

A heat maps which illustrate the level of risk that is currently associated with not meeting each objective

Question 33

RISK REPORTING TOOLS - RISK, CONTROL, AND PERFORMANCE INDICATORS

What are the differences between risk, control and performance indicators?

Name example(s) of each.

Who may reports may be produced for?

Answer 33

Risk indicators = provide information on an organisation’s inherent risk exposure to 1 or more risks
E.g., staff turnover, no of attempted IT firewall breaches, credit scores of customers or suppliers that owe money

Control indicators = provide information on the effectiveness of controls = help organisations to understand how their residual risk exposures may be changing
E.g., frequency of electrical testing, unresolved internal audit issues, number of breaches of policies or procedures

Performance indicators = provide information on how effectively an organisation is operating
E.g. staff absence rate

Different reports may be produced for different departments and functions, as well as different levels of management

Question 34

RISK REPORTING TOOLS - RISK DASHBOARDS AND BALANCED SCORECARDS

What is a risk dashboard?

How may a risk dashboard be presented?

What makes an effective risk dashboard?

Answer 34

= risk reports that combine various risk and control indicators, as well as heat maps, risk event and near miss data

May be presented thematically
E.g., the board may receive a strategic risk dashboard
Senior managers may receive dashboards on topics like health and safety and departments
Function managers may receive dashboards relating to their area of responsibility

Effective dashboards are not long = care is needed to provide the most relevant sources of information in the clearest way

Question 35

RISK REPORTING TOOLS - RISK DASHBOARDS AND BALANCED SCORECARDS

What are balanced scorecards used for?

What do balanced scorecards provide?

What are the 4 focus elements?

What may balanced scorecards be linked to and why?

Answer 35

Used for strategic planning

Provide a means of structuring a risk dashboard around an organisation’s objectives so that the risks to these objectives can be monitored and reported

Balanced scorecards typically use four focus elements:
1. financial performance
2. operational efficiency
3. human resources
4. compliance

Balanced scorecards may be linked to employee development and performance reviews
= ensures that an organisation’s employees make risk taking and control decisions that are consistent with its objectives

Question 36

RISK REPORTING TOOLS - NARRATIVE REPORTING

What is risk narrative reporting?

Where is it common?

What may it be combined with?

How are they set up?

Answer 36

Involves using words to explain how a risk exposure is changing

Common where there is no numerical data that can be reported

It may be combined with numerical data to help provide context

In a table with columns ‘indicator’, ‘trend’ (trend arrows show whether the risk is increasing or decreasing and may be RAG related to provide further context), ‘value last month’, ‘previous value’, and ‘commentary’

Question 37

DESIGNING AND IMPLEMENTING RISK REPORTS

What are the 4 key factors to consider when designing and implementing risk reports?

Answer 37

1. Audience
2. Size and level of detail = too much data and audience will have to spend longer reviewing it and less likely to make sense of it

Should consult with the indented audience to determine the essential pieces of data and narrative reporting they need in a length and level of complexity that works for them

3. Level of statistical complexity = not all audience’s will understand statistics or need a statistically complex report

Consultation with the report’s audience should help to determine their requirements

4. Frequency = depends on the frequency with which risk exposures change

• In volatile areas like financial markets, reporting may be daily or on a real-time basis
• Monthly or quarterly is normal for other risks like health and safety

Question 38

DESIGNING AND IMPLEMENTING RISK REPORTS - AUDIANCE

Why do different audiences require different types of risk reports?

What kind of risk risk reports would the following groups need and why:

1. The Board
2. Senior management
3. Business unit
4. Individuals teams and support functions

Answer 38

Because different audiences make different decisions (= require different data) and have different competencies

Board = high level risk reports to support governance and strategic decisions
= Heat maps and Key Risk Indicator (KRI) reports

SM = more detailed reports focusing on key areas of risk to support allocation of resources and escalation, but still high level
= Heat maps and KRI reports

Business unit = even more detailed reports, but tend to be specific
= Review risk registers, KRIs and Key Control Indicators (KCI), loss and near miss data

Individual teams and support functions = strong functional and performance focus
= Review local risk registers and KRIs/KCIs, local loss and near misses