Evaluating and reporting risk Flashcards
What are the 6 techniques for identifying risk events?
An organisation’s choice of techniques will depend on what? (4)
What is the purpose of risk identification?
Why are analytical techniques generally seen as better?
- Expert judgement
- Focus groups and surveys
- Checklists
- Physical inspections
- Analytical approaches = SWIFT, Delphi, Root-cause analysis, and system and process mapping
- Loss event and near-miss investigations
Depends on the nature, scale and complexity of its activities, as well as regulatory requirements
= to determine the nature of risks and the specific types of risk event that may occur
They use a range of research and logic structuring methods to make risk identification more scientific and less prone to human error.
TECHNIQUES FOR IDENTIFYING RISK EVENTS - EXPERT JUDGEMENT
What does expert judgement rely on?
Name an example.
What are the two types of experts?
Who is it helpful to have work with an expert?
What is the advantage?
What is the disadvantage?
Relies on skills and experiences of relevant specialists, either in isolation or working as a group
E.g., IT specialist should have a good understanding of the types of IT-related risk events to which an organisation may be exposed
Internal and external = most organisations will use their own internal specialists to provide expert judgement, but in some circumstances external experts (RM consultants) may be used
Helpful to have a facilitator to work with experts to help them identify all relevant risks
= the facilitator may be an internal risk specialist or an external consultant
Advantage = using 1 expert is cost effective in terms of time
Disadvantage = possibility that the expert may miss something important or exhibit some form of perceptual bias
TECHNIQUES FOR IDENTIFYING RISK EVENTS - FOCUS GROUPS AND SURVEYS
Who might focus groups comprise of?
What is the main idea behind a focus group?
What is the advantage?
What is the disadvantage?
What is a risk survey?
What are the 2 types of risk surveys?
How can they be created?
May comprise a mix of specialists (IT, finance and HR specialists) and include functional and departmental managers (operations managers or marketing managers)
Idea = to share a range of different perspectives and experiences to achieve a consensus view
Advantage = should ensure that a greater number of relevant risk events are identified
Disadvantage = focus groups take up more specialist or management time due to the greater number of people involved
Risk survey = relevant specialists and managers are asked a series of questions and their responses are consolidated and analysed to identify relevant risk events
- Simple survey = may ask respondents to list the risk events that they believe could occur or may provide a checklist of potential risk events
- More sophisticated = may ask about how organisational processes and procedures are designed and controlled to identify the potential sources of risk events
May be created by internal or external RM specialists
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What is a risk checklist?
When are they used and why?
How may a checklist be drawn up? (2)
What is an example and an advantage of the second way?
What are 2 positives and 1 negative of more detailed checklists and what does this mean for an organisation?
Provide a prepared list of potential risk events
Used to support other risk-identification approaches = expert judgement, focus groups and surveys
Why = ensures that particular types of risk event are not forgotten and that all relevant sources of risk are given consideration
An organisation may draw up its own checklists based on their past experience of risk events, or use checklists provided by an external agency e.g., Basel loss event types
Advantage = external agency is able to learn from experience of multiple organisations
Positives:
1. Facilitate more targeted risk assessment monitoring and control activities
2. Reduce the chance that important risk events may be overlooked
Negative = increase the amount of time that must be devoted to risk identification
Organisation must balance the costs and benefits of more or less detailed checklists and choose the approach that works best for its circumstances
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What are the 6 benefits of checklists?
- A cheap and efficient way of collating large amounts of information
- Simple and easy to use = ensures that relevant sources of risk are not missed
- A useful way of updating information for current use and for monitoring trends against previous surveys
- Can be adapted to individual areas of risk focus (H&S, environmental)
- Useful for putting diverse sources of information into a common format
- Can be used to provide evidence of compliance with relevant risk-management regulations
TECHNIQUES FOR IDENTIFYING RISK EVENTS - CHECKLISTS
What are the 6 disadvantages of checklists?
- Can be used by someone who may not be skilled in the subject of the checklist
- Can be completed by someone who may not understand precisely the objectives and ultimate use of their answers
- Can focus the user’s attention simply on completing the checklist, causing the task to be seen as just a ‘form filling’ exercise
- May be ambiguous to the reader, however careful the design
- May be completed too quickly, and therefore without much thought, by someone who considers that their own time is better spent elsewhere
- May be completed by someone who has their own reasons for suppressing risk information
TECHNIQUES FOR IDENTIFYING RISK EVENTS - PHYSICAL INSPECTIONS
Which types of risks are physical inspections commonly used to identity/asses?
Who completes physical inspections?
Inspections are often supported by the use of what?
What is the advantage?
What are the 4 disadvantages?
H&S related risks or risks relating to fire and other physical hazards
Usually completed by qualified risk-identification specialists = building surveyor, fire-safety professional or H&S expert
Use of questionnaires or checklists to ensure that nothing important is missed
Advantage = someone with specialised knowledge can take a professional view of what is there + a formal inspection report will normally conclude with recommendations to improve the control environment and reduce the probability and impact of loss
Disadvantages:
1. Only faults visible on day are examinable
2. Expensive
3. Third party risks not fully assessable by inspections
4. RM is the responsibility of all employees - possible erroneous view that risks are transferable to inspector
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT
What is SWIFT?
When is it commonly used
What does the technique rely on and what is it often supported by?
What does the SWIFT leader do?
What does the SWIFT recorder do?
What are the advantages? (3)
What is the disadvantage?
the Structured What-If Technique = a systematic, team-oriented technique
= uses a series of structured ‘what-if’ and ‘how-could’ type questions to consider deviations from the normal operation of systems and processes
Commonly used for the identification of H&S and environmental-related risks
Relies on expert input from the team to identify risk events, supported by checklists
The SWIFT leader’s function is to structure the discussion
The SWIFT recorder keeps an online record of the discussion on a standard log sheet
Advantages:
1. no standard approach = flexible (can be modified to suit each individual application)
2. more likely to identify all relevant risk events (hence used in more hazardous sectors to ensure all risks are identified)
3. is efficient = generally avoids lengthy discussions of areas where hazards are well understood or where prior analysis has shown no hazards are known to exist
Disadvantage = expensive to use because of the amount of time and people involved
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SWIFT
What are the common 6 steps in the protocol for the SWIFT analysis of a risk event?
- Define the systems/processes being analysed and consider each in turn
- List possible risk events and put them in logical order for discussion – start with major events
- Consider each risk in turn and each possible cause of the risk event
- Consider the consequences and safeguards to be put in place
- Record discussion on SWIFT log sheets
- Reconsider if any risk events have been overlooked/omitted and use checklists/previous experience to check for completeness
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI
What is the Dephi technique?
How does it work? (3)
What is the advantage? (2)
What is the disadvantage?
= an information-gathering tool that is used to reach a consensus of experts on a subject (risk events)
- Each expert participates anonymously and a facilitator uses a questionnaire to solicit ideas about the important points
- The responses are summarised and re-circulated to the experts for further comment.
- Consensus may be reached in a few – or many – rounds of this process
Advantages = (1) helps reduce bias and keeps any one person from having undue influence on the risks that are identified
(2) the technique can be effective at predicting risk events
Disadvantage = it is time consuming, especially if a consensus is hard to reach
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - DELPHI
What are the common 5 steps in the procedure?
- Agree what is to be analysed (function, department, project, or process)
- Select panel of experts (keep membership anonymous)
- Send background info and questionnaire that asks them to identify relevant risks
- Facilitator complies responses then sends out to experts for their review and comment
- Repeat until consensus reached
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE
What is root-cause analysis?
What might it be applied to?
What assumption is it based on?
What are the 2 advantages?
What is the disadvantage?
= focuses on investigating the root cause of risk events
May be applied to hypothetical risk-event scenarios or actual risk events that have occurred, either within the organisation or in similar organisations
Based on the assumption that many risk events have multiple causes
E.g., a fire risk event needs material to burn, a spark and oxygen before it can cause damage
Advantages:
1. Root-cause analysis adds depth to the identification of risk by exploring how and why the event may occur (If organisation can prevent causes = prevent risk event from occurring)
2. A good technique to use when investigating the causes of large or negative events to prevent it happening again
Disadvantage = time consuming = rarely practical or cost effective
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - ROOT-CAUSE
Root-cause analysis approaches vary but are based on what four principles?
How are the causes and order of an event often identified?
What is the 5 whys technique?
- Identify the causes of the event
- Establish the timeline from normal operations to a risk event
- Distinguish between root causes and more immediate causes
- Use the results to improve controls and to help manage future risk events
The causes and order of an event are often identified using the ‘5 whys’ technique
5 whys technique = usually possible to get to the root cause in 5 questions:
1. Why did a fire occur?
2. Why did the material burn?
3. Why did the spark occur?
4. Why did the electrical fault occur?
5. Why was the wiring old? = not safety inspected
TECHNIQUES FOR IDENTIFYING RISK EVENTS - ANALYTICAL APPROACHES - SYSTEM AND PROCESS MAPPING
What is systems and process mapping? (2)
What is a common investigation technique?
What does fault tree analysis try to identify?
What does it begin with?
What is the aim of fault-tree analysis?
What is the advantage if a fault-tree?
What is the disadvantage?
- involves putting all of an organisation’s systems and processes into flow charts
- Flow charts are then investigated to identify potential sources of risk to the various systems, processes, activities or objectives
A common investigation technique = fault tree analysis
Fault tree analysis tries to identify potential system or process failures (risk events) and then looks backwards to search out the possible causes of that failure
Fault-tree analysis begins with each element in a system or process flow and then considers what might happen if this element fails
Aim of fault-tree analysis = to identify key points of failure and whether these can be overcome by adapting other parts of the system of process flow
○ Fault trees can be long or short, simple or technical
Advantage of fault-tree approach = can highlight and link connected risk events that could combine to cause much larger risk events
Disadvantage = takes lots of time and money
TECHNIQUES FOR IDENTIFYING RISK EVENTS - LOSS EVENT AND NEAR-MISS INVESITGATIONS
What is a loss event?
Name an example.
Why should loss events be investigated?
What are near misses?
Name an example.
Why should near misses be investigated? (2)
Loss event = risk events that result in monetary or non-monetary losses
E.g., faulty machinery, liability claims, adverse media attention, or employee injury
Are learning opportunities = organisation may decide to identify the cause and help prevent more serious risk events in the future = investigations could help to identify new risks & signify an increase in exposure
Near misses = risk event occurs but doesn’t result in loss = events that should have resulted in a financial or non-financial loss, but for one reason or another did not
E.g., a small fire that is extinguished before damage can be done
Near misses are important learning opportunities.
1. The next time they occur, an actual loss may be incurred.
2. It is important to learn from the near miss to help prevent future occurrences.
IDENTIFIYING EMERGING RISKS
What are emerging risks?
How are they categorised?
Name 3 examples of current emerging risks.
What are the 3 techniques for identifying emerging risks and why are these techniques important?
Emerging risks = either significant new risks, or risks that were known about previously, but which were not considered to be significant
Emerging risks are characterised by high levels of uncertainty = there is not yet much experience gained = can be ignored or over- or underestimated
- cyber risks such as ransomware
- other examples are linked to political uncertainty (such as Brexit)
- global warming (the rise in severe weather events)
A. PEST analysis
B. SWOT analysis
C. World Economic Forum Global Risk Report
Techniques for identifying emerging risks can help to prevent them from being ignored or underestimated
IDENTIFIYING EMERGING RISKS - PEST ANALYSIS
What is PEST analysis and an example of each?
PEST analysis is usually completed by who?
What may be used to support PEST analysis?
= analyses changes in political, economic, social, and technological changes
Political change = change in legislation and regulations or changes in political philosophies e.g. Brexit
Economic change = periods of high or low inflation or interest rates
Social and technological = rise of internet and smart phones and social media leading to increase risk of cyber security and reputation
PEST analysis is usually completed by a group of participants but also common for the board to be involved where large-scale emerging risks can have a far reaching strategic impact
Analytical tools like the Delphi technique may be used to support PEST analysis
IDENTIFIYING EMERGING RISKS - SWOT ANALYSIS
What is SWOT analysis?
What is the process? (3)
Strengths, weaknesses, opportunities, and threats analysis = a strategic tool used to identify business objectives and emerging risks
- Begins by identifying an organisation’s strengths and weaknesses
e.g., its finances, abilities of key personnel, market power, efficiency/inefficiency of operations - Focus then shifts to identifying potential opportunities and threats which may be on the horizon
E.g., consumer demand, distribution channels system ad process innovation - An organisation’s strengths and weaknesses are compared to identify opportunities that may be exploited and threats to existing objectives that need to be addressed
IDENTIFIYING EMERGING RISKS - WORLD ECONOMIC FORUM GLOBAL RISK REPORT
What is the annual World Economic Forum Global Risk Report?
Name 3 of the top risks in the 2023 report.
Name 2 previous topic risks.
= a useful source of current and emerging risks = report provides a strategic view of risk supplemented by in-depth analysis of specific ‘hot topics’
Top risks from 2023 were:
1. Cost of living crisis
2. Extreme weather events
3. Widespread cybercrime
Previous topics = pandemic (2021), natural disasters (2018)
RISK-ASSESSMENT TECHNIQUES
What do risk-assessment techniques do?
Which ISO standards provides guidance on the use of the main categories of risk-assessment techniques?
What are the 3 risk-assessment techniques?
Assess the probability and impact of a risk event to help determine the level of exposure
ISO 31010:2009 ‘Risk-management – Risk Assessment
- Quantitative
- Qualitative
- Hybrid (stress testing and scenario analysis)
RISK-ASSESSMENT TECHNIQUES - QUALITATIVE
What does qualitative risk assessment involve?
What techniques are used?
What is the dominant qualitative technique?
What other terms could be used?
Why is it important that the order or magnitude is clear?
Involves a significant degree of judgement
Similar techniques to those used for risk identification are often used, including expert judgement, focus groups and surveys
Dominant qualitative technique = estimate probability and impact using an ordinal scale:
1 = Low
2 = Medium
3 = High
(Data is shown in order of magnitude only, meaning that 2 is larger than 1)
Some organisations may use words to describe the level of probability and impact e.g., ‘almost certain’, ‘severe’ or ‘extreme’ for higher values or ‘minor’, ‘insignificant’ and ‘negligible’ for lower ones
Terms used are not important, as long as their order of magnitude is clear = is common practice to provide definitions for the terms chosen = help improve the accuracy and consistency of risk-assessment activities across an organisation
RISK-ASSESSMENT TECHNIQUES - QUALITATIVE
What are the 2 levels of assessment that may be performed in qualitative risk-assessment?
Why?
What is the final extension in a qualitative risk-assessment?
What is important to stress?
What is the strength of a qualitative risk-assessment technique?
What are the 2 weaknesses?
Two levels of assessment = one for inherent risk and another for residual risk
One for inherent risk = to show the potential exposure to risk, should controls not be in place
One for residual risk = to show the current effectiveness of the controls that have been applied
A final extension combines probability and impact to arrive at an exposure score
= Usually the ordinal values are multiples together to arrive at an order of magnitude for exposure
* E.g.,
Negative Impact →
Probability↓ 1 2 3
1 1 2 3
2 2 4 6
3 3 6 9
It is important to stress that these are ordinal values = an exposure value of 9 is larger than 6, but not known by how much larger
Strength = Do not need data (unlike quantitative techniques)
Weakness = (1) much more subjective compared to quantitative techniques and (2) can only provide an order of magnitude for probability and impact rather than a precise measurement
RISK-ASSESSMENT TECHNIQUES - QUANTITATIVE
What is quantitative risk-assessment?
With quantitative methods, it is possible to do what? (2)
What principles does quantitative risk assessment use?
Is quantitative risk-assessment superior to qualitative procedures? / what are the strengths? (2)
What are the 2 problems/weaknesses?
Where is quantitative risk assessment most used?
= applies a standard of measurement to probability and impact to allow a more precise and objective analysis of risk
Possible to:
A. determine how much bigger a given probability or impact value is than another
B. model an infinite number of probability and impact combinations
Uses the principles of statistical analysis.
In theory, yes:
(1) is mathematically precise
(2) does not rely on subjective judgement = uses historical data
In practice, quantitative risk assessment is problematic:
1. Require large amounts of historical data to work effectively = data is not always available
2. There is no guarantee that what has happened in the past will happen in the same way in the future
Used most in the financial services sector for assessing financial risks (e.g., market and credit risk) where data is plentiful (although financial crisis was not predicted!)
RISK-ASSESSMENT TECHNIQUES - HYBRID
What are hybrid approaches to risk assessment?
What is the aim?
What are hybrid approaches used for?
What are the 2 types of hybrid approaches?
Hybrid approaches combine elements of quantitative and qualitative risk assessment
Aim = to provide a relatively consistent and objective method for assessing risk, which does not rely on large amounts of data
Hybrid approaches are used for extreme risk events, meaning those with a low probability, but a high impact (whether positive or negative)
- Stress testing
- Scenario analysis