Evaluating and reporting risk

Question 1

Which of the two base types of risks do risk-event identification activities typically focus on?

Answer 1

Downside risk

Question 2

6 methods (or groups of methods) that can be used to identify risks:

Answer 2

• Expert judgement
• Focus groups and surveys
• Checklists
• Physical inspections
• Analytical approaches
• Loss event and near-miss investigations

Question 3

Identifying risk - where might ‘expert judgement’ come from

Answer 3

• Internal specialists, such as IT or finance specialists
• External consultants

Question 4

What might an org do to ensure use of an external consultant to identify risk is effective?

Answer 4

Have a facilitator work with them, usually being an internal risk specialist

Question 5

Identifying risk - who would typically comprise a focus group? (2)

Answer 5

• Specialists, such as IT, finance and HR specialists
• Functional and departmental managers

Question 6

Risk identification - Benefit of focus groups

Answer 6

Share a range of different perspectives and experiences to achieve a consensus view and ensure identification of a greater number of risk events

Question 7

Risk identification - Cost of focus groups

Answer 7

Can take up significant time with involvement of great number of people

• this is why a survey of relevant individuals may be carried out instead

Question 8

What might a risk-identification survey ask respondents to do?

Answer 8

List the risk events they believe could occur or provide a checklist of potential risk events

Question 9

Would a checklist be used on its own as a risk identification tool?

Answer 9

No, it would be supplementary to other tools such as expert judgement, focus groups and surveys

Question 10

Risk checklists (3)

Answer 10

• List of all recognised potential risk events
• Ensures focus groups or experts don’t overlook certain types of risk events and consider all
• Can be drawn up internally or by external specialists

Question 11

Benefits of risk checklists (7)

Answer 11

• Cheap and efficient way to collate large amounts of info
• Simple and easy to use
• Ensures relevant sources of risk are not missed
• Useful way of updating info for current use
• Can be adapted to individual areas of risk
• Useful for putting sources of info into common format
• Can be use to provide evidence of compliance with regulations

Question 12

Costs of risk checklists (6)

Answer 12

• Can be used by someone not skilled in subject of checklist
• Can be completed by someone not fully understanding objectives and use of info
• Can focus attention simply on completing checklist, tick boxing
• May be ambiguous, however careful the design
• May be completed too quickly, without much thought
• May be completed by someone who intends to suppress risk info

Question 13

Risk identification - who would complete a physical inspection?

Answer 13

Qualified risk-identification specialists such as building surveyors, fire-safety professionals or H&S experts

Question 14

Risk identification - disadvantages of physical inspections (4)

Answer 14

• Inspector only sees a snapshot in time and risk exposures visible on that day
• Inspection programmes can be expensive, especially where there are multiple sites
• Key sources of risk may be where third-party suppliers provide goods or services and it will be difficult to obtain authority to inspect these premises
• Risk-man is and should remain the responsibility of every manager and employee, and regular visits of an inspector may cause managers and employees to believe they can abdicate this responsibility

Question 15

Primary aim of analytic approaches to risk identification

Answer 15

Make risk identification more scientific and less prone to human error

Question 16

4 analytical approaches to risk identification

Answer 16

• Structured what-if technique
• Delphi technique
• Root-cause analysis
• System and process mapping

Question 17

Structured what-if technique (SWIFT)

Answer 17

• Systematic team-oriented technique used for identification of H&S and environmental-related risks
• Used series of structured ‘what-if’ and ‘how-could’ type questions to consider deviations from normal operation of systems and processes
• Relies on expert input from team to identify risk events
• No standard approach, so can be modified to suit each individual application

Question 18

Advantage and disadvantage of the structured what-if technique (SWIFT)

Answer 18

• More likely to identify all relevant risk events
• Expensive technique due to amount of time and people involved

Question 19

Delphi technique (5)

Answer 19

• Information gathering tool used to reach a consensus of experts on a subject (such as ID of risk events)
• Experts participate anonymously, with facilitator used to solicit ideas
• Responses are summarised and re-circulated for further comment
• Consensus reached in a few, or many, rounds of this process
• Should reduce bias and prevent domination of single individual

Question 20

Advantage and disadvantage of Delphi technique

Answer 20

• Can be effective at predicting risk events
• Time consuming, especially if consensus is hard to reach

Question 21

Root-cause analysis - risk identification (4)

Answer 21

• Focusses on investigating the root cause of risk events
• May be applied to hypothetical or real risk events that have occurred
• Based on assumption that many risk events have multiple causes
• If causes can be prevented, the event may be stopped from occurring

Question 22

Advantage and disadvantage of root-cause analysis technique

Answer 22

• Good when investigating causes of large and negative risk events that have occurred, to learn and prevent reoccurrence
• Time consuming, rarely practical or cost effective if looking to identify all risks

Question 23

Systems and process mapping - risk identification (2)

Answer 23

• Systems and process mapping involves putting all of an org’s systems and processes into flow charts which are than investigated to identify potential sources of risk
• Common technique is a fault-tree analysis, which identifies potential system of process failures and then looks backwards to search for possible causes

Question 24

Advantage and disadvantage of systems and process mapping technique

Answer 24

• It can highlight risk events that could combine to cause much larger risk events, which would be unlikely to be recognised by individuals working on a single aspect
• Expensive and time-consuming to flow-chart systems and processes and analyse them for points of failure causing risk events

Question 25

Risk identification - loss events and near misses (2)

Answer 25

- Represent learning opportunities where an organisation can identify causes of these events using techniques such as root-cause analysis - Can also help an org identify new risks

Question 26

What are emerging risks?

Answer 26

Risks that were not known about previously or were not considered to be significant

Question 27

Emerging risks:

Answer 27

Are characterised by high levels of uncertainty and may therefore be ignored or over- or underestimated

Question 28

3 tools to assess/identify emerging risks

Answer 28

- PEST analysis (external) - SWOT analysis (internal) - World Economic Forum Global Risk Report

Question 29

What do risk-assessment techniques assess?

Answer 29

The probability and impact of a risk event to help determine the level of exposure

Question 30

World Economic Forum Global Risk Report (2)

Answer 30

- Useful source of current and emerging risks - Issued each year, providing strategic view of risk and in-depth analysis of 'hot topics'

Question 31

3 main categories of risk assessment techniques

Answer 31

- Qualitative risk assessment - Quantitative risk assessment - Hybrid approaches

Question 32

Most dominant qualitative technique for risk assessment

Answer 32

Estimating probability and impact using an ordinal scale - eg. rating both 1-3 or low/medium/high Then, combining probability and impact to arrive at an exposure score - eg. multiplying probability rating with impact rating

Question 33

Quantitative risk assessments (3)

Answer 33

- Applied a standard of measurement to allow a more precise and objective analysis of risk (than qualitative) - Uses principles of statistical analysis, analysing and then combing complex distributions to arrive at an objective assessment of exposure - In theory, superior to qualitative approaches, as it does relies on historical data rather than subjective judgement

Question 34

Problems with quantitative risk assessments (2)

Answer 34

- Data is not always available - No guarantee that past is perfect indicator of future

Question 35

Hybrid approaches to risk assessment (4)

Answer 35

- Combines elements of quantitative and qualitative risk assessment - Aim is to provide consistent and objective method for risk assessment which does not rely on large amounts of data - Most often used for extreme risk events, being those with a low probability but a high impact - 2 approaches: Stress testing & scenario analysis

Question 36

What is stress testing?

Answer 36

A hybrid approach to risk assessment which involves assessing the impact that extreme movement in key financial variables have on an org, such as: - A fall in income - Rising inflation - Rising or falling interest rates - A sudden increase in costs

Question 37

Benefits of stress testing (2)

Answer 37

- Good way to assess fin. strength of an org, especially when faced with extreme events - Can help an org to prepare for extreme events should they occur

Question 38

What is scenario analysis?

Answer 38

A hybrid approach to risk assessment which is essentially an outline/model of a possible sequence of risk events, to determine plausible but extreme future scenarios before assessing their impact on an org

Question 39

Advantage and disadvantage of scenario analysis

Answer 39

- Can help orgs anticipate and prepare for extreme scenarios, being especially well suited to testing business continuity plans - Time consuming as it involves a number of functional specialists and managers

Question 40

What is the RAG system re. risk?

Answer 40

Stands for Red, Amber, Green - used to prioritise risk exposures

Question 41

Common interpretation of RAG reporting

Answer 41

Red - The level of risk exposure is very high (or low) and could threaten the achievement of an organisation’s strategic objectives - Immediate action is required on the part of management to manage the risk in question Amber - The level of risk exposure is higher/lower than normal - Management attention is required to determine whether action needs to be taken in the near future Green - The level of risk exposure is within normal parameters - No action is required – the risk is under adequate control

Question 42

5 risk reporting tools

Answer 42

- Heat maps - Loss and near-miss databases - Risk, control and performance indicators - Risk dashboards and balanced scorecards - Narrative reporting

Question 43

Risk reporting - heat maps

Answer 43

Use concept of RAG reporting, and apply colour in addition to RAG initial for ease of identification of areas of caution

Question 44

Risk reporting - loss and near miss dabtabases

Answer 44

Statistics collected from risk event and near miss databases (inc. data on value of loss) can be used to provide reports If enough data, reports can be provided based on risk category, business unit, or function

Question 45

Risk reporting - risk, control and performance indicators

Answer 45

Performance indicators, which are often employed across various areas of business, can be employed to monitor and report a range of risk and control metrics Different reports can be produced for different departments, functions, etc.

Question 46

Risk indicators:

Answer 46

provide information on an organisation’s inherent exposure to one or more risks

Question 47

Control indicators:

Answer 47

provide information on the effectiveness of one or more controls

Question 48

Common risk indicators: (3)

Answer 48

- Staff turnover (new staff are more mistake prone) - Number of attempted fire-wall breaches - Credit scores of any suppliers or debtors

Question 49

Common control indicators: 3()

Answer 49

- Frequency of electrical testing - Number of breaches of policy/procedures - Unresolved internal audit issues

Question 50

Risk reporting - risk dashboards (2)

Answer 50

- Risk reports that combine risk and control indicators, as well as heat maps, risk event and near miss data - Effective dashboards are not long, as this makes them difficult to process - info should be provided in the clearest way

Question 51

Risk reporting - balanced scorecards

Answer 51

- Used for strategic planning - Typically use four focus elements, which can then be used to structure risk dashboards, etc. - Elements will be factors in achieving objectives

Question 52

4 classic balanced scorecard elements/factors

Answer 52

- Fin. performance - Operational efficiency - Human resources - Compliance

Question 53

What is narrative reporting?

Answer 53

- Using words (in combo with numbers) to explain how risk exposure is changing - Common where there is no financial loss/gain data to be reported

Question 54

5 typical heading of a narrative risk report - with example

Answer 54

- Indicator - number of customer complaints - Trend - down arrow (*RAG can be used on arrows*) - Value last month - 101 - Previous value - 104 - Commentary - comment on whether high or low, causes, impacts, expectations for coming months

Question 55

4 key factors to consider when designing risk reports (and very briefly, why)

Answer 55

- Audience and its requirements - generally, less info for more seniors - Size of report and level of detail - more data is not always better as can become non-sensical - Degree of statistical complexity - don't make it too complex to understand - Reporting frequency - depends on frequency at which risk exposures change