IRM ERM M1U4.1 Management of risks using real controls Flashcards
Purpose of managing or treating risks
Having understood the context in which we are working as well as our objectives, identified, and analysed our risks to determine their overall effect on those objectives and evaluated whether further action is necessary to bring the risks to an acceptable level, the next stage logically is to manage, respond to, treat, or control the identified risks.
While organisations would like to eliminate all the high-severity threats and enable all of the high impact opportunities, this may not be possible for reasons of practicality or cost-effectiveness.
Also, flaws in the risk analysis process can result in overly pessimistic or optimistic risk ratings, and may mean that we may focus our attention on lower-level risks.
Feedback loop into the risk management process. Current vs Target
For the risk management process to work correctly we must build a feedback loop into the risk management process as follows:
We treat a risk by comparing the current risk rating with the target risk rating (usually our risk appetite). If the current risk rating exceeds the risk appetite, we will manage it.
Then we re-analyse the current risk after treatment. If the current risk rating still exceeds the risk appetite, we will treat it again to manage the risk further towards our target.
Then we re-analyse the current risk again. Only when the current rating has reached the target rating, do we stop implementing additional actions to manage the risk. If we cannot reach the target rating sufficiently or economically then we might have to consider revising our objectives and thus beginning the whole risk management process again.
This should be a constant feedback loop because the context, risks, controls, and our risk appetite are likely to be constantly changing.
ISO Control definition
ISO 31000:2018 defines a control as a “measure that maintains and/or modifies risk,” with two additional notes:
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
As such, controls should take charge of and change the risk – either by tackling the causes and changing the likelihood of the risk occurring, or the consequences and changing the impact should the risk occur.
‘Real’ control
As can be seen in the real-world example, many controls allocated to risks are simply data collection or guidance.
Both data collection and guidance support active management of risks, but they both need to be utilised to ensure risks are modified.
Just a quick internet search will reveal many examples of incidents where an individual, team or the organisation did not use the data or follow the guidance given.
ISO 31000 Response strategies.
Risks should not be managed at any cost. The standard also suggests that more than one option can be chosen to manage risks, and may involve one or more of the following approaches:
avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.
taking or increasing the risk to pursue an opportunity.
removing the risk source.
changing the likelihood.
changing the consequences.
sharing the risk (for example through contracts, buying insurance).
retaining the risk by informed decision.
Some of these approaches are more relevant to threats, for example - avoiding the risk, and some more appropriate for opportunities, for example taking or increasing the risk. The key point is that they should all do something to modify the risk, whether it is a threat or an opportunity, or both.
The 4Ts - Hazard Response
Terminate - To terminate a risk an organisation will often need to terminate the activity which is associated with the risk. Termination is something that organisations usually undertake reluctantly and because the residual severity of the risk is simply too high after the organisation has considered all other possible cost-effective responses (from transfer or treat).
Transfer - An organisation may try to transfer risk exposure to a third party, such as an insurance company. In practice though it is very unlikely an organisation can fully transfer a risk and for that reason the term ‘risk sharing’ is often used. Other examples of risk transfer include joint ventures, outsourcing and risk financing. These are areas that you will study in later modules.
Treat - An organisation can treat a risk by retaining it in the organisation and taking action to modify its severity, likelihood, or impact. You will also see that the most common approach to respond to risks is through the ‘treat’ option.
Tolerate - An organisation will normally tolerate a hazard risk if the risk’s perceived severity is less than the risk appetite. Clearly, an organisation will tend to tolerate low severity risks. However, it may tolerate some high-severity risks – for example, where it has failed to identify risks or has under- estimated the severity of the risk. Toleration of high-severity risk makes the organisation especially vulnerable, and some people argue that it is not the known risks that destroy an organisation, but those risks that are unknown and implicitly tolerated.
The 4Es and 5Es - Opportunities response
For opportunities, Hopkin and Thompson suggest the response strategy types are categorised as the 4 or 5 Es. These response strategies are not based on the likelihood versus impact matrix, but follow a very simple lifecycle of a business:
Start-up operations Explore their new opportunities, assessing whether it is worth taking the risk,
during the Growth phase, the operation Expands the opportunity, for example through raising investment or making sales. The risk, therefore, stays the same, but the reward increases.
The operation may then decide to Exit the opportunity through a successful and profitable sale of the opportunity (‘cashing-out’), with the same risk, but massive reward.
In some cases, however, the operation may decide to Exit the opportunity altogether if the investment is outside of its risk appetite
, OR,
as a Mature operation, the opportunity is Exploited further, for example by securing investors or acquisitions. Here, the level of risk has reduced, but the reward stays the same.
Operations in Decline have not changed ahead of or in line with market demand and opportunities will just Exist. Here the level of risk and potential reward are both low, with low sales in a shrinking market.
As with the 4Ts, this is rather a basic view of the treatment of opportunities, as not all organisations or all opportunities follow those stages or that path.
Loss control
As noted in ISO 31000 controls can be put in place to either change the likelihood of the risk occurring or to change the size of the impact should the risk occur both of which can be used for threats and opportunities.
Hopkin and Thompson consider the treatment of threats using loss control which has three parts:
Loss prevention – controls designed to stop a risk from occurring (managing the causes).
Damage limitation – controls designed to reduce the size of the risk as soon as it has occurred (managing the impacts)
Cost containment – controls designed to reduce the long-term effect of the risk, such as business continuity management
PCDD / control theory.
Control theory describes a hierarchy of risk responses as preventive, corrective, directive, and detective (abbreviated as ‘PCDD
Preventive controls - Hopkin and Thompson suggest this is the most important approach, but prevention may not always be cost-effective, especially if the likelihood of a risk occurring is low. For risks that we have no control over, such as some external risks, it might be impossible to prevent them anyway, in which case we are left with considering only the other three options. In that sense, a cost-benefit analysis of any preventive control is vital. Preventive controls are effective before the risk occurs.
Corrective controls - these are in place where preventive controls are not feasible, desirable, or cost-effective (although they could be used also as a secondary defence, should the preventive controls fail). Again, alongside their adequacy and effectiveness, the corrective controls’ value for money also needs to be tested. Corrective controls need to be developed prior to the risk occurring but become effective once a risk has occurred.
Directive controls - these are a common type of control and are based on giving directions to another person or party as to how they should behave in certain circumstances. This type of control is based on the behaviour of individuals and, therefore, may not be very reliable. As noted earlier, directive controls, on their own, are not real controls. Contracts are directive controls because a contract instructs the parties to the contract what they should do in specified circumstances.
Detective controls – these detect a risk occurring, such as a fire alarm or the detection of a project off-track through an audit review taking place six months into a project.
Preventative and Directive Controls are pre-event manifestation and
Corrective and Detective are post-event manifestation
Role of insurance and business continuity vs RM
Role of insurance and business continuity
The role of insurance and business continuity are heavily intertwined with risk management, in fact both could be considered as an origin for the structured risk management process we see today.
In fact, both disciplines are essentially reactive (corrective or post-event manifestation) controls, that are effective once a risk has occurred, but need to be planned carefully in advance.
Insurance is a key financial risk transfer mechanism, where the insured organisation makes a contract with the insurer in an insurance policy that provides indemnity (security or protection against a loss) for insured events that, should an insured event occur that results in loss, will put the insured back in the position (at least financially) as if the loss had never occurred.
Business continuity planning is a key risk treatment mechanism and component of ‘cost containment’ – part of Hopkin and Thompson’s loss control. Business continuity planning is all about planning in advance for a potentially disruptive event, which could be limited to a single building, or something that had a companywide impact, such as computer systems failing or a pandemic. This structured planning will prepare an organisation to deal with the event if it occurs, and to be able to recover to a pre-loss situation as quickly as possible.
The international standard on business continuity planning, ISO 22301:2019 – Societal security – Business continuity management systems – Requirements, first expects organisations to understand the disruptive risks it faces (both opportunities and threats) and have controls in place to manage these effectively. It then includes understanding the impact these risks could have on the organisation, planning strategies and solutions to overcome them and then monitoring, testing, and improving the plans to ensure the organisation is resilient in the face of the disruptive events.
History of insurance
Insurance has a very long history that can be traced back to Chinese and Babylonian traders.
It became formalized in the shipping industry, where marine insurance can be traced to the mid-1300s in Europe.
In the 1680s, a coffee shop (Lloyd’s) opened in London, which became the meeting place for parties wishing to insure cargoes and ships.
Insurance developed rapidly during the 18th and 19th centuries to provide financial protection for property. In the United States the development was often spurred by major disasters, typically large fires that laid waste to cities through spreading in closely confined neighbourhoods. This happened in New York in 1835, and Chicago in 1871.
Types of insurance cover
balance sheet/profit and loss protection (first-party protection);
mandatory legal and contractual obligations (third-party protection);
protection of employee assets (benefits insurance).
ERM and business continuity management
The risk assessment required as part of the risk management process and the business impact analysis that is the basis of business continuity planning (BCP) are closely related.
The concept of BCP additionally feeds into the idea of ‘resilience’,
Where ERM and BCP differ is in timing and structural elements. ERM is concerned with the management of risks that could impact core processes and looks across the organization in an integrated fashion.
Business continuity is concerned with actions that should be taken to maintain the continuity of individual activities. The business continuity approach has the very specific function of identifying responses that should be taken after the risk has materialized in order to minimize its impact.
BCP relates to resuming operations with as minimal an impact on the organizations as possible, eg cost containment and customer retention,
