identifying risk

Question 1

Risk

Answer 1

Risk exists whenever future outcomes cannot be predicted with certainty.

Question 2

Business Risk

Answer 2

A business risk threatens achievement of a company’s goals. Business risks can arise from internal
or external sources.

Question 3

Types of Business Risks:

Answer 3

There are two major types of Risks:
 Pure Risk
 Speculative Risk

Question 4

What is pure risk?

Answer 4

Pure risk refers to risks that are beyond human control and result in a loss or no loss. There is no
possibility of financial gain.

Question 5

Examples of Pure Risks

Answer 5

*Errors or negligence by staff members
 Malfunctioning of machines or IT system
 Terrorist attack, Fire, Flood and other natural disaster affecting business.

Question 6

What is Speculative risk?

Answer 6

Speculative risk is risk that is taken on voluntarily and can result in either a profit or loss.
Speculative risks are thus considered controllable risks.

Question 7

Examples of Speculative Risks:

Answer 7

 Investment activities (e.g. launch of new product, new business, investing in stocks)
 Sports betting,

Question 8

Compliance
risk

Answer 8

It is a risk that company may not comply
with laws, regulations and standards. This
may result in payment of fines or losing
customers.

e.g
If a manufacturing company’s employees don’t follow
government safety regulations while building
machines, their behavior can be a compliance risk for
the company

Question 9

Legal Risk

Answer 9

It is the risk that people may file legal cases
against company, which company may
lose.

e.g
If company does not fulfil contracts, or there is a
dispute with parties.

Question 10

Reputational
Risk

Answer 10

It is the risk that public opinion may
change about company. It results in lack of
confidence of public and investors.

e.g
A clothing company prints an offensive image on a
shirt, and the story goes viral on social media, causing a
wave of negative news coverage. This may result in
drop of sales.

Question 11

Security Risk

Answer 11

It is the risk that a company does not
follow appropriate Cybersecurity
Strategies.

e.g
If an insurance company has a weak policy for
employee passwords, this can pose a security risk for
the company. A hacker can release sensitive data, which
can hurt the company’s reputation or impact profits

Question 12

Financial Risk

Answer 12

Financial Risk occurs when a company has
poor financial management.

e.g
Examples of financial risk includes:
 Interest Rate Risk
 Commodity Price Risk
 Exchange Rate Risk
 Liquidity Risk
 Default Risk

Question 13

Competition
Risk

Answer 13

A competition risk can happen when a
competitor takes an increasing share of the
market for a product or service.

e.g
Business A sells printers. Business A may experience a
competition risk when a competitor, Business B, uses
technological innovations to sell printers with more
capabilities to Business A’s customers.

Question 14

Physical Risk

Answer 14

Physical risks are threats to a company’s
physical assets due to fire, natural disaster,
theft, poor training.

e.g
A media company owns a building that houses a
newspaper staff and a printing plant. The building can
be prone to fires if employees of the printing plant fail
to properly inspect and maintain printing equipment.
The lack of maintenance and inspections can pose a
physical risk to the building, its equipment and the
company’s employees.

Question 15

Benefits of Risk Management

Answer 15

1. Increased changes of achieving objectives.
2. Proactive Management.
3. Compliance with legal requirements.
4. Awareness to identify and treat risk throughout the organization.
5. Improved controls
6. Improved Governance
7. Reliable basis for decision making

Question 16

Responsibility of Risk Management:

Answer 16

In Pakistan, SECP’s Code of Corporate Governance states that directors should report on Risk
Management and Compliance issues.
Risk management happens at Board level as well as at operational level.

Question 17

Risk Committee:

Answer 17

Large companies establish a Risk Committee (which is a sub-committee of Board of Directors)
which is responsible to identify risks, monitor risks and report effectiveness of risk management to
Board.

Question 18

Box-ticking Approach:

Answer 18

In this approach, certain procedures are performed on every item to eliminate risk (e.g. scanning
every passenger on air-port)

Question 19

Risk-based Approach:

Answer 19

Management assumes that some risk is unavoidable. Management looks for only those items which
have high risk, to reduce risk to acceptable level.

Question 20

: Scope ISO31000

Answer 20

ISO 31000 provides general guidance on how to manage risk. This guidance can be applied to any
industry, any company, any level

Question 21

Risk ISO31000

Answer 21

Effect of uncertainty on objectives

Question 22

Risk management ISO31000

Answer 22

Coordinated activities to direct and control an organization with regard to risk

Question 23

Control ISO31000

Answer 23

Measure that maintains and/or reduce risk

Question 24

Principles

Answer 24

The principles are the foundation for managing risk and should be considered when establishing
the organization’s risk management framework and processes.

1. Integrated:
   Risk management is an integral part of all organizational activities.
2. Structured and comprehensive:
   A structured and comprehensive approach to risk management contributes should be
   adopted.
3. Customized:
   The risk management Framework and Process can be customized according to
   organization’s objectives.
4. Inclusive:
   All stakeholders should be involved in the risk management. This will improve awareness of
   risk management, and well informed risk management.
5. Dynamic:
   Risks can change due to internal and external changes in organization. Risk management
   should consider these management.
6. Best available information:
   Risk management should be based on timely, clear information. Any limitation or
   uncertainty regarding information should also be considered.
7. Human and cultural factors:
   Human and cultural factors should also be considered at each level and stage.
8. Continual improvement:
   Risk management is a continuous process which is improved through learning and
   experience.

Question 25

Section 5: Framework

Answer 25

The purpose of the risk management framework is to assist the organization in integrating risk
management into significant activities and functions.
Framework development includes Integrating, Designing, Implementing, Evaluating and Improving
risk management across the organization. This requires support from Leadership

Question 26

1. Leadership and
   Commitmen

Answer 26

Top management should ensure that risk management is integrated into all
organizational activities. They should:
• Customize and implement all components of the framework;
• Make a policy that establishes risk management approach.
• Allocate necessary resources to risk management.
• Assign authority and responsibilities at appropriate levels within
the organization.

Question 27

2. Integration

Answer 27

Risk management should be integrated in every part of organization. Every
department and everyone in the organization is responsible for managing
risk. However, it can be customized.

Question 28

3. Design

Answer 28

It means planning a risk management strategy according to needs of
organization. This component includes following steps:
1. Understanding the organization
2. Showing commitment to risk management
3. Assigning roles and responsibilities
4. Allocating resources
5. Establishing communication and consultation between stakeholders

Question 29

4. Implement

Answer 29

This means putting the plans in action. It includes:
• Setting objectives and deadlines
• Clearly defining the decision-making process
• Evaluating and making changes to the decision-making process
where appropriate
• Ensure that arrangements are clearly understood and practiced.

Question 30

5. Evaluate

Answer 30

This means looking whether risk management system is working as it
should be.
It includes:
 Comparing performance of risk management system with goals.
 Determining whether risk management system is appropriate
or needs amendments.

Question 31

6. Improve

Answer 31

This means improving the risk management system on continuous basis. It
includes:
 taking corrective actions to remove deficiencies in risk management
system.
 Addressing new risks arising due to internal and external changes.

Question 32

Risk Management Process:

Answer 32

Risk management process includes following activities:
 communicating and consultation
 establishing the Scope, context and criteria
 assessing, treating, monitoring, reviewing, and reporting risk

Question 33

Communicating
and Consultation

Answer 33

 Communication means promoting awareness and understanding of
risk.
 Consultation means obtaining feedback and information to support
decision-making.

Question 34

Scope, context and
criteria

Answer 34

 The organization should define the scope of its risk management
activities.
 The organization should establish risk management in the context
of internal and external environment in which organization
operates.
 The organization should specify criteria as to how to evaluate
significance of risks, and which risks to take and which not to take.
Purpose of this step is to customize the risk management process.

Question 35

Risk Assessment

Answer 35

Risk assessment is the overall process of risk identification, risk analysis
and risk evaluation.
 Risk Identification:
The purpose of risk identification is to identify risks that may
prevent an organization from achieving its objectives.
 Risk analysis
Risk analysis includes consideration of risk sources, probability,
impact, existing controls and their effectiveness.
Risks may have:
o Low Probability, Low Impact.
o Low Probability, High Impact
o High Probability, Low Impact
o High Probability, High Impact
 Risk Evaluation:
Risk evaluation involves comparing the results of the risk analysis
with the established risk criteria to determine whether Residual
Risk is tolerable or additional action is required.

Question 36

Risk Treatment

Answer 36

The purpose of risk treatment is to select and implement options for
addressing risk.
Options for treating risk may involve one or more of the following:
• avoiding risk (by discontinuing activity giving rise to risk), or take
risk;
• removing the risk source;
• changing the likelihood;
• changing the consequences;
• sharing the risk with others (e.g. through contracts, buying
insurance);
• retaining the risk by informed decision.

Question 37

Monitoring and
Review

Answer 37

It includes analyzing results and providing feedback. Its purpose is to
ensure effectiveness of risk management process

Question 38

Recording and
Reporting

Answer 38

The risk management process and its outcomes should be documented and
reported through appropriate mechanisms.