Introduction To Risk Management Flashcards
Risk definition
The possible variation of an outcome from what is expected
COSO Definition of risk
The possibility that an event will occur and adversely affect the achievement of objectives
COSO definition of opportunity
The possibility that an event will occur and positively affect the achievement of objectives
Uncertainty definition
Inability to predict due to lack of information
3 attitudes to risk
Risk averse
Risk neutral
Risk seeker
Risk averse attitude
More certainty less reward
Risk neutral attitude
Investment chosen based on return
Risk seeker attitude
Chosen due to high risk even if return lower
Three types of risk
{Bof}
Business risk
Operational risk
Financial risk
5 types of business risk
{Pepe’s}
Product
Economic
Property
Enterprise
Strategy
2 types of financial risk
Controllable
Uncontrollable
5 types of operational risk
{Pecs}
Process
People
Event
Cyber
Systems
4 types of event risk
{DRReSs well for the event}
Disaster
Regulatory
Reputation
Systemic (participant in business’ supply chain)
4 terms in measuring risk
Probability
Impact
Exposure
Volatility
Measures of central tendency
Mean
Median
Mode
Expected value
Measures of dispersion/spread
Range
Deviation
Variance
Standard deviation
Coefficient of variation
Deviation
How far away from the mean
Variance =
The average of all squared deviations
Σ(x-Av)^2/n
Standard deviation
Square root of the variance
Coefficient of variation
Standard deviation divided by the mean
Useful to compare variations across different means (often %)
Lower = better return to risk
Frequency distributon
Based on sets of values e.g. 10-20, 21-30…
Often shows normal distribution
Normal distribution
Bell curve
Mean in centre
Mean median and mode the same
Area under curve = 1
Normal distribution standard deviations
34% values mean-1 (68% -1-1)
47.5% values mean-2
49.9% values mean-3
For a normal distribution, what can we work out if we know the mean and standard deviation?
The probability of a certain value occurring
Left skewed data
Aka negatively skewed
Concentrated on the right
Median and mean to left of mode
Right skewed data
Aka positively skewed
Concentrated on the left
4 stages of the risk management process
Awareness and identification
Assessment and measurement
Response and control
Monitoring and reporting
Techniques to identify risks
PESTLE/SWOT
External advisors
Interviews/Questionnaires
Internal audit
Brainstorming
5 types of loss
Property loss (assets)
Liability loss (legal)
Personell loss (injury, sickness, death)
Pecuniary loss
Interruption loss (inability to operate)
Risk assessment
Nature and goal implications
Risk measurement
Probability of risk, quantifies impact, calculates potential loss using expected values for gross risk
Gross risk
Probability x impact
(and considering control measures)
Risk assessment map
Matrix of impact and probability
High impact low probability risk
Sharing
Reduction
High impact high probability risk
Avoidance
Reduction
Share
Low impact low probability risk
Accepted
Low impact high probability risk
Reduction
TARA model of risk responses
Transfer (sharing)
Avoidance
Reduction
Acceptance (retention)
TARA model of risk responses: Transfer
Transfer risk to 3rd party
E.g. insurance, hedging
TARA model of risk responses: Avoidance
Don’t do risky activities
But loose upside potential too
TARA model of risk responses: Acceptance
Tolerate losses
Can be cheaper than insurance for small risks
TARA model of risk responses: Reduction
Retain activity but reside risk
Mitigating controls:
Preventative
Corrective
Directive
Detective
Benefits of risk monitoring
Current effectiveness
Change to risk profile
What risks does the Corporate Governance Code require listed companies to report on?
- Nature and extent of risks willing to take to achieve objectives
- Management issues
Corporate Governance Code: 4 additional board disclosures (risk reporting)
- Responsible for internal control systems
- Systems designed to manage not eliminate risk
- How dealt with internal control aspects of significant problems highlighted in accounts
- Weaknesses of internal control that have resulted in material losses
7 types of crisis
Natural event
Industrial accident (e.g. fire, collapse)
Product/service failure
PR disaster
Business crisis (e.g. loss of key supplier/customer)
Management crisis (e.g. hostile takeover bid/loss of key management)
Legal/regulatory crisis
2 things crisis management should consider
Contingency plans
Crisis prevention
ICSA 2 axes of business resilience
- PROCESSES and functions to protect the organisation
- General ORGANISATIONAL characteristics driving resilience
ICSA: Processes and functions to protect the organisation
Risk management
Business continuity planning
Security
IT disaster recovery
Health and safety
Crisis management
Internal audit
Governance
ICSA: General organisational characteristics driving resilience
Employee trust in management
Customer trust in organisation
Ability to innovate
Clear values
Values liked to behaviour
Effective risk management
Morale
Leadership involvement
2 types of business resilience changes
External (laws, recession)
Internal/panned (overseas investment, closure of significant operations, new strategic direction)
ICSA 4 features of resilient organisations
- Diversified RESOURCES
- Strong internal and external RELATIONSHIP network
- Rapid and decisive RESPONSE to emerging crisis
- Self-REVIEW and adaption to meet changing circumstances
Challenges to achieving resilience
Lack of expertise
Lack of input from leadership
Lack of cohesive thinking between departments
ICSA 4 key metrics to measure resilience
- Compliance (internal)
- Completeness (breadth of readiness, multiple issues concurrently!)
- Comparability/capability (testing+reviewing responses to potential shocks)
- Value (hitting goals quantitative+qualitative)
Disaster definition
(Part of) OPERATIONS break down causing losses to equipment/data/funds
Crisis definition
Unexpected event that threatens well-being/normal operations of business.
Affecting customers, employees, investors and other stakeholders.
6 components of disaster recovery plan
{Disaster recovery CREEP}
Define responsibilities
Communicate with staff
Risk assessment
Establish back-ups and standbys
Establish PR
Prioritise actions