Evaluating and reporting risk Flashcards
What are the 6 techniques for identifying risk events?
An organisation’s choice of techniques will depend on what? (4)
What is the purpose of risk identification?
Why are analytical techniques generally seen as better?
- Expert judgement
- Focus groups and surveys
- Checklists
- Physical inspections
- Analytical approaches = SWIFT, Delphi, Root-cause analysis, and system and process mapping
- Loss event and near-miss investigations
Depends on the nature, scale and complexity of its activities, as well as regulatory requirements
= to determine the nature of risks and the specific types of risk event that may occur
They use a range of research and logic structuring methods to make risk identification more scientific and less prone to human error.
TECHNIQUES FOR IDENTIFYING RISK EVENTS - EXPERT JUDGEMENT
What does expert judgement rely on?
Name an example.
What are the two types of experts?
Who is it helpful to have work with an expert?
What is the advantage?
What is the disadvantage?
Relies on skills and experiences of relevant specialists, either in isolation or working as a group
E.g., IT specialist should have a good understanding of the types of IT-related risk events to which an organisation may be exposed
Internal and external = most organisations will use their own internal specialists to provide expert judgement, but in some circumstances external experts (RM consultants) may be used
Helpful to have a facilitator to work with experts to help them identify all relevant risks
= the facilitator may be an internal risk specialist or an external consultant
Advantage = using 1 expert is cost effective in terms of time
Disadvantage = possibility that the expert may miss something important or exhibit some form of perceptual bias
TECHNIQUES FOR IDENTIFYING RISK EVENTS - FOCUS GROUPS AND SURVEYS
Who might focus groups comprise of?
What is the main idea behind a focus group?
What is the advantage?
What is the disadvantage?
What is a risk survey?
What are the 2 types of risk surveys?
How can they be created?
May comprise a mix of specialists (IT, finance and HR specialists) and include functional and departmental managers (operations managers or marketing managers)
Idea = to share a range of different perspectives and experiences to achieve a consensus view
Advantage = should ensure that a greater number of relevant risk events are identified
Disadvantage = focus groups take up more specialist or management time due to the greater number of people involved
Risk survey = relevant specialists and managers are asked a series of questions and their responses are consolidated and analysed to identify relevant risk events
- Simple survey = may ask respondents to list the risk events that they believe could occur or may provide a checklist of potential risk events
- More sophisticated = may ask about how organisational processes and procedures are designed and controlled to identify the potential sources of risk events
May be created by internal or external RM specialists
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What is a risk checklist?
When are they used and why?
How may a checklist be drawn up? (2)
What is an example and an advantage of the second way?
What are 2 positives and 1 negative of more detailed checklists and what does this mean for an organisation?
Provide a prepared list of potential risk events
Used to support other risk-identification approaches = expert judgement, focus groups and surveys
Why = ensures that particular types of risk event are not forgotten and that all relevant sources of risk are given consideration
An organisation may draw up its own checklists based on their past experience of risk events, or use checklists provided by an external agency e.g., Basel loss event types
Advantage = external agency is able to learn from experience of multiple organisations
Positives:
1. Facilitate more targeted risk assessment monitoring and control activities
2. Reduce the chance that important risk events may be overlooked
Negative = increase the amount of time that must be devoted to risk identification
Organisation must balance the costs and benefits of more or less detailed checklists and choose the approach that works best for its circumstances
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What are the 6 benefits of checklists?
- A cheap and efficient way of collating large amounts of information
- Simple and easy to use = ensures that relevant sources of risk are not missed
- A useful way of updating information for current use and for monitoring trends against previous surveys
- Can be adapted to individual areas of risk focus (H&S, environmental)
- Useful for putting diverse sources of information into a common format
- Can be used to provide evidence of compliance with relevant risk-management regulations
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What are the 6 disadvantages of checklists?
- Can be used by someone who may not be skilled in the subject of the checklist
- Can be completed by someone who may not understand precisely the objectives and ultimate use of their answers
- Can focus the user’s attention simply on completing the checklist, causing the task to be seen as just a ‘form filling’ exercise
- May be ambiguous to the reader, however careful the design
- May be completed too quickly, and therefore without much thought, by someone who considers that their own time is better spent elsewhere
- May be completed by someone who has their own reasons for suppressing risk information
TECHNIQUES FOR IDENTIFYING RISK EVENTS - PHYSICAL INSPECTIONS
Which types of risks are physical inspections commonly used to identity/asses?
Who completes physical inspections?
Inspections are often supported by the use of what?
What is the advantage?
What are the 4 disadvantages?
H&S related risks or risks relating to fire and other physical hazards
Usually completed by qualified risk-identification specialists = building surveyor, fire-safety professional or H&S expert
Use of questionnaires or checklists to ensure that nothing important is missed
Advantage = someone with specialised knowledge can take a professional view of what is there + a formal inspection report will normally conclude with recommendations to improve the control environment and reduce the probability and impact of loss
Disadvantages:
1. Only faults visible on day are examinable
2. Expensive
3. Third party risks not fully assessable by inspections
4. RM is the responsibility of all employees - possible erroneous view that risks are transferable to inspector
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT
What is SWIFT?
When is it commonly used
What does the technique rely on and what is it often supported by?
What does the SWIFT leader do?
What does the SWIFT recorder do?
What are the advantages? (3)
What is the disadvantage?
the Structured What-If Technique = a systematic, team-oriented technique
= uses a series of structured ‘what-if’ and ‘how-could’ type questions to consider deviations from the normal operation of systems and processes
Commonly used for the identification of H&S and environmental-related risks
Relies on expert input from the team to identify risk events, supported by checklists
The SWIFT leader’s function is to structure the discussion
The SWIFT recorder keeps an online record of the discussion on a standard log sheet
Advantages:
1. no standard approach = flexible (can be modified to suit each individual application)
2. more likely to identify all relevant risk events (hence used in more hazardous sectors to ensure all risks are identified)
3. is efficient = generally avoids lengthy discussions of areas where hazards are well understood or where prior analysis has shown no hazards are known to exist
Disadvantage = expensive to use because of the amount of time and people involved
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT
What are the common 6 steps in the protocol for the SWIFT analysis of a risk event?
- Define the systems/processes being analysed and consider each in turn
- List possible risk events and put them in logical order for discussion – start with major events
- Consider each risk in turn and each possible cause of the risk event
- Consider the consequences and safeguards to be put in place
- Record discussion on SWIFT log sheets
- Reconsider if any risk events have been overlooked/omitted and use checklists/previous experience to check for completeness
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI
What is the Dephi technique?
How does it work? (3)
What is the advantage? (2)
What is the disadvantage?
= an information-gathering tool that is used to reach a consensus of experts on a subject (risk events)
- Each expert participates anonymously and a facilitator uses a questionnaire to solicit ideas about the important points
- The responses are summarised and re-circulated to the experts for further comment.
- Consensus may be reached in a few – or many – rounds of this process
Advantages = (1) helps reduce bias and keeps any one person from having undue influence on the risks that are identified
(2) the technique can be effective at predicting risk events
Disadvantage = it is time consuming, especially if a consensus is hard to reach
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI
What are the common 5 steps in the procedure?
- Agree what is to be analysed (function, department, project, or process)
- Select panel of experts (keep membership anonymous)
- Send background info and questionnaire that asks them to identify relevant risks
- Facilitator complies responses then sends out to experts for their review and comment
- Repeat until consensus reached
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE
What is root-cause analysis?
What might it be applied to?
What assumption is it based on?
What are the 2 advantages?
What is the disadvantage?
= focuses on investigating the root cause of risk events
May be applied to hypothetical risk-event scenarios or actual risk events that have occurred, either within the organisation or in similar organisations
Based on the assumption that many risk events have multiple causes
E.g., a fire risk event needs material to burn, a spark and oxygen before it can cause damage
Advantages:
1. Root-cause analysis adds depth to the identification of risk by exploring how and why the event may occur (If organisation can prevent causes = prevent risk event from occurring)
2. A good technique to use when investigating the causes of large or negative events to prevent it happening again
Disadvantage = time consuming = rarely practical or cost effective
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE
Root-cause analysis approaches vary but are based on what four principles?
How are the causes and order of an event often identified?
What is the 5 whys technique?
- Identify the causes of the event
- Establish the timeline from normal operations to a risk event
- Distinguish between root causes and more immediate causes
- Use the results to improve controls and to help manage future risk events
The causes and order of an event are often identified using the ‘5 whys’ technique
5 whys technique = usually possible to get to the root cause in 5 questions:
1. Why did a fire occur?
2. Why did the material burn?
3. Why did the spark occur?
4. Why did the electrical fault occur?
5. Why was the wiring old? = not safety inspected
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SYSTEM AND PROCESS MAPPING
What is systems and process mapping? (2)
What is a common investigation technique?
What does fault tree analysis try to identify?
What does it begin with?
What is the aim of fault-tree analysis?
What is the advantage if a fault-tree?
What is the disadvantage?
- involves putting all of an organisation’s systems and processes into flow charts
- Flow charts are then investigated to identify potential sources of risk to the various systems, processes, activities or objectives
A common investigation technique = fault tree analysis
Fault tree analysis tries to identify potential system or process failures (risk events) and then looks backwards to search out the possible causes of that failure
Fault-tree analysis begins with each element in a system or process flow and then considers what might happen if this element fails
Aim of fault-tree analysis = to identify key points of failure and whether these can be overcome by adapting other parts of the system of process flow
○ Fault trees can be long or short, simple or technical
Advantage of fault-tree approach = can highlight and link connected risk events that could combine to cause much larger risk events
Disadvantage = takes lots of time and money
TECHNIQUES FOR IDENTIFYING RISK EVENTS - LOSS EVENT AND NEAR-MISS INVESITGATIONS
What is a loss event?
Name an example.
Why should loss events be investigated?
What are near misses?
Name an example.
Why should near misses be investigated? (2)
Loss event = risk events that result in monetary or non-monetary losses
E.g., faulty machinery, liability claims, adverse media attention, or employee injury
Are learning opportunities = organisation may decide to identify the cause and help prevent more serious risk events in the future = investigations could help to identify new risks & signify an increase in exposure
Near misses = risk event occurs but doesn’t result in loss = events that should have resulted in a financial or non-financial loss, but for one reason or another did not
E.g., a small fire that is extinguished before damage can be done
Near misses are important learning opportunities.
1. The next time they occur, an actual loss may be incurred.
2. It is important to learn from the near miss to help prevent future occurrences.
IDENTIFIYING EMERGING RISKS
What are emerging risks?
How are they categorised?
Name 3 examples of current emerging risks.
What are the 3 techniques for identifying emerging risks and why are these techniques important?
Emerging risks = either significant new risks, or risks that were known about previously, but which were not considered to be significant
Emerging risks are characterised by high levels of uncertainty = there is not yet much experience gained = can be ignored or over- or underestimated
- cyber risks such as ransomware
- other examples are linked to political uncertainty (such as Brexit)
- global warming (the rise in severe weather events)
A. PEST analysis
B. SWOT analysis
C. World Economic Forum Global Risk Report
Techniques for identifying emerging risks can help to prevent them from being ignored or underestimated
IDENTIFIYING EMERGING RISKS - PEST ANALYSIS
What is PEST analysis and an example of each?
PEST analysis is usually completed by who?
What may be used to support PEST analysis?
= analyses changes in political, economic, social, and technological changes
Political change = change in legislation and regulations or changes in political philosophies e.g. Brexit
Economic change = periods of high or low inflation or interest rates
Social and technological = rise of internet and smart phones and social media leading to increase risk of cyber security and reputation
PEST analysis is usually completed by a group of participants but also common for the board to be involved where large-scale emerging risks can have a far reaching strategic impact
Analytical tools like the Delphi technique may be used to support PEST analysis
IDENTIFIYING EMERGING RISKS - SWOT ANALYSIS
What is SWOT analysis?
What is the process? (3)
Strengths, weaknesses, opportunities, and threats analysis = a strategic tool used to identify business objectives and emerging risks
- Begins by identifying an organisation’s strengths and weaknesses
e.g., its finances, abilities of key personnel, market power, efficiency/inefficiency of operations - Focus then shifts to identifying potential opportunities and threats which may be on the horizon
E.g., consumer demand, distribution channels system ad process innovation - An organisation’s strengths and weaknesses are compared to identify opportunities that may be exploited and threats to existing objectives that need to be addressed
IDENTIFIYING EMERGING RISKS - WORLD ECONOMIC FORUM GLOBAL RISK REPORT
What is the annual World Economic Forum Global Risk Report?
Name 3 of the top risks in the 2023 report.
Name 2 previous topic risks.
= a useful source of current and emerging risks = report provides a strategic view of risk supplemented by in-depth analysis of specific ‘hot topics’
Top risks from 2023 were:
1. Cost of living crisis
2. Extreme weather events
3. Widespread cybercrime
Previous topics = pandemic (2021), natural disasters (2018)
RISK-ASSESSMENT TECHNIQUES
What do risk-assessment techniques do?
Which ISO standards provides guidance on the use of the main categories of risk-assessment techniques?
What are the 3 risk-assessment techniques?
Assess the probability and impact of a risk event to help determine the level of exposure
ISO 31010:2009 ‘Risk-management – Risk Assessment
- Quantitative
- Qualitative
- Hybrid (stress testing and scenario analysis)
RISK-ASSESSMENT TECHNIQUES - QUALITATIVE
What does qualitative risk assessment involve?
What techniques are used?
What is the dominant qualitative technique?
What other terms could be used?
Why is it important that the order or magnitude is clear?
Involves a significant degree of judgement
Similar techniques to those used for risk identification are often used, including expert judgement, focus groups and surveys
Dominant qualitative technique = estimate probability and impact using an ordinal scale:
1 = Low
2 = Medium
3 = High
(Data is shown in order of magnitude only, meaning that 2 is larger than 1)
Some organisations may use words to describe the level of probability and impact e.g., ‘almost certain’, ‘severe’ or ‘extreme’ for higher values or ‘minor’, ‘insignificant’ and ‘negligible’ for lower ones
Terms used are not important, as long as their order of magnitude is clear = is common practice to provide definitions for the terms chosen = help improve the accuracy and consistency of risk-assessment activities across an organisation
RISK-ASSESSMENT TECHNIQUES - QUALITATIVE
What are the 2 levels of assessment that may be performed in qualitative risk-assessment?
Why?
What is the final extension in a qualitative risk-assessment?
What is important to stress?
What is the strength of a qualitative risk-assessment technique?
What are the 2 weaknesses?
Two levels of assessment = one for inherent risk and another for residual risk
One for inherent risk = to show the potential exposure to risk, should controls not be in place
One for residual risk = to show the current effectiveness of the controls that have been applied
A final extension combines probability and impact to arrive at an exposure score
= Usually the ordinal values are multiples together to arrive at an order of magnitude for exposure
* E.g.,
Negative Impact →
Probability↓ 1 2 3
1 1 2 3
2 2 4 6
3 3 6 9
It is important to stress that these are ordinal values = an exposure value of 9 is larger than 6, but not known by how much larger
Strength = Do not need data (unlike quantitative techniques)
Weakness = (1) much more subjective compared to quantitative techniques and (2) can only provide an order of magnitude for probability and impact rather than a precise measurement
RISK-ASSESSMENT TECHNIQUES - QUANTITATIVE
What is quantitative risk-assessment?
With quantitative methods, it is possible to do what? (2)
What principles does quantitative risk assessment use?
Is quantitative risk-assessment superior to qualitative procedures? / what are the strengths? (2)
What are the 2 problems/weaknesses?
Where is quantitative risk assessment most used?
= applies a standard of measurement to probability and impact to allow a more precise and objective analysis of risk
Possible to:
A. determine how much bigger a given probability or impact value is than another
B. model an infinite number of probability and impact combinations
Uses the principles of statistical analysis.
In theory, yes:
(1) is mathematically precise
(2) does not rely on subjective judgement = uses historical data
In practice, quantitative risk assessment is problematic:
1. Require large amounts of historical data to work effectively = data is not always available
2. There is no guarantee that what has happened in the past will happen in the same way in the future
Used most in the financial services sector for assessing financial risks (e.g., market and credit risk) where data is plentiful (although financial crisis was not predicted!)
RISK-ASSESSMENT TECHNIQUES - HYBRID
What are hybrid approaches to risk assessment?
What is the aim?
What are hybrid approaches used for?
What are the 2 types of hybrid approaches?
Hybrid approaches combine elements of quantitative and qualitative risk assessment
Aim = to provide a relatively consistent and objective method for assessing risk, which does not rely on large amounts of data
Hybrid approaches are used for extreme risk events, meaning those with a low probability, but a high impact (whether positive or negative)
- Stress testing
- Scenario analysis
RISK-ASSESSMENT TECHNIQUES - HYBRID - STRESS TESTING
What is stress testing?
What are 3 common variables?
What are the 2 advantages?
What is reverse stress testing?
What are the 2 approaches to reverse stress testing?
= involves assessing the impact that extreme movements in key financial variables may have on an organisation, either in isolation or together
Common variables include: (1) a fall in income (2) rising inflation (3) rising or falling interest rates
Advantages:
1. Stress testing is a good way to assess the financial strength of an organisation, especially when faced with extreme events
2. It can help an organisation to prepare for extreme events should they occur, helping to reduce the chance of significant financial distress or bankruptcy
Reverse stress test = establishes the point at which an organisation’s objectives are no longer achievable
= a useful tool for corporate financial resiliency planning
2 approaches to reverse stress testing:
(1) Define a series of events, which will cause the business plan to fail, then measure the implications on the business plan for each of the identified events
(2) Start with the income statement and balance sheet and investigate each line item —-> Identify the factors that would affect that line item to such a degree that the business plan fails or the organisation becomes insolvent
RISK-ASSESSMENT TECHNIQUES - HYBRID - SCENARIO ANALYSIS
What is scenario analysis?
What are the 2 principal types of scenarios?
What are the 2 disadvantage?
What are the 3 advantages?
= relevant experts and managers determine plausible but extreme future scenarios and then assess the impact on an organisation should the scenario manifest itself
- Single variable scenarios = focus on specific event or occurrence = looks at both the possible frequency of occurrence and impact from that single event
- Multi-variable scenarios = examine the occurrence of multiple inter-related events (that may occur at same time or as a chain of linked events)
Disadvantages = time consuming and may involve a number of functional specialists and managers
Advantages:
(1) Can help organisations to anticipate and prepare for extreme scenarios
(2) Especially well-suited to testing business continuity plans and for estimating the maximum level of loss = can help determine the level of insurance cover
(3) Can determine more accurate probability and impact values for extreme events = allow an organisation to rank scenarios in order of significance = allows scarce management and control resources to be utilised effectively
THE RISK REGISTER
What 2 tools are used by organisations to store and monitor the results of their risk-assessment activities?
What is a risk register?
What is important to ensure?
How often is a risk register updated?
What 5 things may a simple risk register include?
Risk registers and risk and control self-assessments
A spreadsheet or database application used to store information on risk events that have been identified and assessed
Important to ensure that data is collected and organised in a way that allows data to be aggregated across different registers
(Most organisations have 1 or more risk registers)
Updated on a regular basis – typically monthly/quarterly (depends on how often rusk exposure changes)
- a description of the risk event that has been identified;
- the risk category that the risk event is linked to;
- the person responsible for managing the risk event on a day-to-day basis, often known as the risk owner;
- a qualitative probability and impact assessment of the risk event; and
- any actions currently under way to control the probability or impact of the risk event.
THE RISK REGISTER
Name 5 things that a more comprehensive risk register may include.
- a qualitative probability and impact assessment of inherent risk;
- a qualitative probability and impact assessment of the residual risk;
- information on the potential causes of the risk event;
- information on the potential financial and non-financial impacts of the risk event;
- Any risk metrics that are used to monitor exposure
RISK AND CONTROL SELF-ASSESSMENTS (RCSA)
What is a RCSA?
What does it provide?
What is a key output?
What can a RCSA be used to support?
What will RCSA documentation include?
What is the assessment used for?
What is it common to link in a RCSA document and why?
= a process that combines risk identification, qualitative risk assessment and an assessment of control effectiveness.
Provides a systematic means for identifying control weaknesses and gaps that may threaten the achievement of an organisation’s objectives or the operational efficiency of its systems and processes
A key output = the production of action plans that help to allocate scarce resources to address control gaps or weaknesses (where the benefits of doing so exceed the associated costs of increased control)
Can be used to support internal audit and governance activities
Include the typical components of a risk register, plus an assessment of the effectiveness of the controls that are in place
= This assessment is used to estimate the residual risk exposure
It is common to link risk events to organisational objectives in a RCSA document = ensures the effect that a risk may have on an organisation’s objectives is understood and supports the board in its governance responsibilities
RISK REPORTING
Why does risk reporting exist?
What is the single best approach to the design or presentation of risk reports?
What is RAG Reporting?
What are the 3 categories/levels?
Effective risk reporting exists to support decision-making in an organisation = decision-makers need information on the nature and extent of risks to make the best possible choices
There isn’t one, nor is there an optimum number of risks to report = best approach is context-specific and will depend on the nature, scale and complexity of an organisation’s activities and risks
RAG = red, amber and green system used to help prioritise risk exposure, control weaknesses, internal audit issues etc.
Red = The level of risk exposure is very high (or low) and could threaten the achievement of an organisation’s strategic objectives
=Immediate action is required on the part of management to manage the risk in question
Amber = The level of risk exposure is higher/lower than normal
= Management attention is required to determine whether action needs to be taken in the near future
Green = The level of risk exposure is within normal parameters
= No action is required – the risk is under adequate control
RISK REPORTING TOOLS
What are the 5 common risk reporting tools?
How will an organisation select which tool to use?
RISK EVENT AND NEAR MISS DATABASES
What may an organisation report?
What if there is sufficient data?
What is the benefit of this?
- Heat maps
- Risk event and near miss databases
- Risk, control and performance indicators
- Risk dashboards and balanced scorecards
- Narrative reporting
An organisation will select these tools based on regulatory requirements and the needs of their decision-makers
Organisations may report the number of risk events or near misses, as well as the value of any financial or non-financial loss
If there is sufficient data, it may be possible to provide reports by risk category or business unit and function
= can help to focus management attention on key categories of risk or high-risk business units and functions
RISK REPORTING TOOLS - HEAT MAPS
What are heat maps?
What types of heat maps are there? (2)
What size should a heat map be?
What is an objective heat map?
Use the concept of RAG reporting, but may add black to show extreme risks and blue for insignificant risks
(1) some show the status of risk, control, or performance indicators
(2) others are used to show trends in risk exposure
Large ones can be difficult to interpret, but smaller ones can help management focus on the most significant risk exposures or control weaknesses (red/black or amber)
A heat maps which illustrate the level of risk that is currently associated with not meeting each objective
RISK REPORTING TOOLS - RISK, CONTROL, AND PERFORMANCE INDICATORS
What are the differences between risk, control and performance indicators?
Name example(s) of each.
Who may reports may be produced for?
Risk indicators = provide information on an organisation’s inherent risk exposure to 1 or more risks
E.g., staff turnover, no of attempted IT firewall breaches, credit scores of customers or suppliers that owe money
Control indicators = provide information on the effectiveness of controls = help organisations to understand how their residual risk exposures may be changing
E.g., frequency of electrical testing, unresolved internal audit issues, number of breaches of policies or procedures
Performance indicators = provide information on how effectively an organisation is operating
E.g. staff absence rate
Different reports may be produced for different departments and functions, as well as different levels of management
RISK REPORTING TOOLS - RISK DASHBOARDS AND BALANCED SCORECARDS
What is a risk dashboard?
How may a risk dashboard be presented?
What makes an effective risk dashboard?
= risk reports that combine various risk and control indicators, as well as heat maps, risk event and near miss data
May be presented thematically
E.g., the board may receive a strategic risk dashboard
Senior managers may receive dashboards on topics like health and safety and departments
Function managers may receive dashboards relating to their area of responsibility
Effective dashboards are not long = care is needed to provide the most relevant sources of information in the clearest way
RISK REPORTING TOOLS - RISK DASHBOARDS AND BALANCED SCORECARDS
What are balanced scorecards used for?
What do balanced scorecards provide?
What are the 4 focus elements?
What may balanced scorecards be linked to and why?
Used for strategic planning
Provide a means of structuring a risk dashboard around an organisation’s objectives so that the risks to these objectives can be monitored and reported
Balanced scorecards typically use four focus elements:
1. financial performance
2. operational efficiency
3. human resources
4. compliance
Balanced scorecards may be linked to employee development and performance reviews
= ensures that an organisation’s employees make risk taking and control decisions that are consistent with its objectives
RISK REPORTING TOOLS - NARRATIVE REPORTING
What is risk narrative reporting?
Where is it common?
What may it be combined with?
How are they set up?
Involves using words to explain how a risk exposure is changing
Common where there is no numerical data that can be reported
It may be combined with numerical data to help provide context
In a table with columns ‘indicator’, ‘trend’ (trend arrows show whether the risk is increasing or decreasing and may be RAG related to provide further context), ‘value last month’, ‘previous value’, and ‘commentary’
DESIGNING AND IMPLEMENTING RISK REPORTS
What are the 4 key factors to consider when designing and implementing risk reports?
- Audience
- Size and level of detail = too much data and audience will have to spend longer reviewing it and less likely to make sense of it
Should consult with the indented audience to determine the essential pieces of data and narrative reporting they need in a length and level of complexity that works for them
- Level of statistical complexity = not all audience’s will understand statistics or need a statistically complex report
Consultation with the report’s audience should help to determine their requirements
- Frequency = depends on the frequency with which risk exposures change
- In volatile areas like financial markets, reporting may be daily or on a real-time basis
- Monthly or quarterly is normal for other risks like health and safety
DESIGNING AND IMPLEMENTING RISK REPORTS - AUDIANCE
Why do different audiences require different types of risk reports?
What kind of risk risk reports would the following groups need and why:
- The Board
- Senior management
- Business unit
- Individuals teams and support functions
Because different audiences make different decisions (= require different data) and have different competencies
Board = high level risk reports to support governance and strategic decisions
= Heat maps and Key Risk Indicator (KRI) reports
SM = more detailed reports focusing on key areas of risk to support allocation of resources and escalation, but still high level
= Heat maps and KRI reports
Business unit = even more detailed reports, but tend to be specific
= Review risk registers, KRIs and Key Control Indicators (KCI), loss and near miss data
Individual teams and support functions = strong functional and performance focus
= Review local risk registers and KRIs/KCIs, local loss and near misses
