IRM Flashcards
What does a good risk register look like?
Collates risks & controls
Tailored to your organisation Updated regularly
Informs decision making
Enable team to prioritise & manage their risks
What is risk policy?
Risk policy is the ‘what’, framework and guidelines to manage risks
What are risk procedures?
Procedures is the ‘how’
What are the ISO 31000, 8 key RM steps?
Communication & Consultation; Scope, Context & Criteria; Risk Identification; Risk Analysis; Risk Evaluation; Risk Treatment; Monitoring & Review; Recording & Reporting
What are the COSO (2004), 8 Key RM steps?
Internal Environment; Objective Setting; Event Identification; Risk Assessment; Risk Response; Control Activities; Info, Comms, Monitoring
What are the 4 RM standards?
ISO 31000, COSO (2004), COSO (2017), The Orange Book
What are the 5 components of COSO (2017)?
Governance & Culture; Strategy & Objective Setting; Performance; Review & Revision; Info, Comms & Reporting
What is Principle A of the Orange Book?
RM as an essential part of governance & leadership
What is Principle B of the Orange Book?
RM an integral part of all organisational activities to support decision making
What is Principle C of the Orange Book?
RM shall be collaborative
and informed by the best available
information and expertise
What is Principle D of the Orange Book?
RM to have structured processes incl, risk identification & assessment, risk treatment, risk monitoring risk reporting
What is Principle E of the Orange Book?
RM shall be continually
improved through learning and experience
What are the 3 components of context?
Internal, External, Risk Management
What is the purpose of establishing context according to ISO 31000?
To enable effective risk assessment & treatment
What is the extended enterprise?
Organisation’s come together to achieve objectives they could not achieve on their own
What are the key elements of the extended enterprise?
Core activities, key inputs & outputs, external influences
What does PESTLE help to do?
Anlysis an organisation’s context
What is Mendelow’s matrix?
Helps with stakeholder mapping
What are some difficulties in setting objectives?
Picking ones that support the mission; conflicting stakeholder expectations; context constantly changing;
What is the attachment of risk?
The process of transferring or assigning a specific risk or liability from one party to another
What are the 3 stages of risk assessment?
Risk identification, risk analysis, risk evaluation
What is the purpose of risk identification?
To find, recognise and describe risks that might prevent/help org from achieving its objectives
What is a cause? risk? consequence?
Thing happening now or has happened. The uncertainty. Impact on objectives.
What are Hopkins 5 techniques for risk assessment?
Checklists & questionnaires; workshops & brainstorming; inspections & audits; flowcharts & dependency analysis; crowd sourcing technology
Words to describe emerging risks?
Ambiguous, chaotic, complete, uncertain, volatile
What is the definition of an emerging risk?
A risk that is new or a familiar risk in new/unfamiliar context/under new context conditions. Potentially signification but not fully understood, cannot allow RM with confidence.
What is the importance of risk classification?
Structure to risk identification process; facilitate identification of more risks; consistent risk terminologies; assign responsibilities; estimate total exposure; bundle risk treatment
What does FIRM help with and stand for?
Risk classification. Financial, Industrial, Reputational, Marketplace
What are the 5/4 Ts for risk control?
Terminate, Treat, Transfer, Tolerate, Take
Sartarla designed a flow chart to …?
Decide what is a real control? To challenge effectiveness.
How does the ISO 31000 define a control?
A measure that maintains/modifies a risk
What are the 5 response strategy types (5 E’s)?
Explore opportunities; opportunities Exploited further; opportunities in decline must Exit; Expand;Exist in maturing or decling markets.
What is damage limitation?
Reducing the magnitude/severity of risk when it occurs, manage impacts
What is loss prevention?
Reducing likelihood of risk and also impact if it does
What is a preventative control?
Before risk occurs, internal control used to avoid undesirable event occuring
What is cost containment?
When a hazard risk materializes despite the efforts put into loss prevention and damage limitation, there may well still be a need to contain the cost of the event
What is the most effective/best type of control?
Preventative control
What is a directive control?
Directions for how to behave eg. contracts, pre-event
What are detective controls?
Detect a risk eg. fire alarm, post event
What are anticipatory controls?
Long-term & strategic
What are corrective controls?
Implemented once risk has occured
What controls are implemented pre-event?
Preventative, Directive
What controls are implemented post-event?
Corrective, Detective
What type of control is insurance?
Corrective, post-event
What type of control is business continuity?
Corrective, post-event
Is business continuity a loss prevention, damage limitation or cost containment?
Cost containment
What is an engineering control?
Isolate people from the hazard
What is an administrative control?
Change the way people work
What is an elimination control?
Physically remove the hazard
What is the substitution control?
Replace the hazard
What is the swiss cheese model?
A slice of Swiss cheese is symbolic of a given measure taken to minimize risk
What is the purpose of monitoring & reviewing according to ISO 31000?
To assess & improve the quality & effectiveness of process design implementation and outcomes
What are some methods to monitor risk?
KRIs, KCIs
Monitoring is …. but review is … & ….?
Monitoring is ongoing but review is periodic & changes
What a are 4 ways to collect data?
Audits, Customer audits, internet of things, satellite data
What is big data?
Data that contains variety, arriving in increasing volume & more velocity
How does ISO 31000 define risk?
‘effect of uncertainty on objectives’
What are Hopkins 4 categories of risk?
Hazard, Opportunity, Compliance, Control
How does ISO 31000 define RM?
‘coordinated activities to direct & control an organisation with regard to risk’
What is needed for ERM to work effectively?
High investment, high risk maturity, strong risk assurance
When was RM introduced?
1995
Why is it important to know about the history or RM?
To know, where we are now & where we might be in the future, conventional views have to be altered