IRM M1 U1.1 Introducing ERM Flashcards
Definition of risk comes as per International Organization for Standardization (ISO 31000, 2018) and Orange Book
‘the effect of uncertainty on objectives.’
This is neither negative nor positive, and offers a more nuanced view than that of the ‘popular’ or dictionary definition.
The guide notes that risk is often described by an event, a change in circumstances, a consequence, or a combination of these, and how they may affect the achievement of objectives.
Following the ISO 31000 definition, Hopkin sub-divided risks into four categories:
Compliance – mandatory risks. Energy, Gambling, Finance, Public sectors. Zero risk tolerance
Hazard risks – negative risks i.e theft or incidents. Ops RM incl H&S. Insurable types.of risk. Flood, fire, storm. disruption caused by people, premises, processes and products (4Ps).
Control risks – uncertainty i.e project risks around timing, budget, or delivery
Opportunity risks – positive risk. Risks with taking or not taking the opportunity. Small Org - moving location, new producs etc. Ex Farm shop with new service click and collect
All 4 with Ex.of a start up
ISO 31000 defines risk management
‘Coordinated activities to direct and control an organisation with regard to risk.’
James Lam (2003), chief risk officer at GE Capital, described ERM as
‘the integrated management of business risk, financial risk, operational risk and risk transfer to maximise a firm’s shareholder value’.
The History of Risk
- Introduction of Hindu - Arabic numbering System. 2 . Invention of Probability Theory. 3 The growth of boreoarctic states
Risk definition as per IMR
the combination of the probability of the event and its consequences
The concepts of risk and uncertainty
1985 Perry and Hayes differentiated the two concepts through measurement where ‘risk is a measurable uncertainty, while uncertainty is an un-measurable risk’.
Flanagan and Norman in 1993, who stated that ‘Uncertainty is a situation where no historical data exists or previous history related to the situation under scrutiny’.3
Levels of Risk
Inherent level of risk / Gross / Absolute: The level of risk before any actions have been taken to change the likelihood or magnitude of the risk.
Current or residual level of risk / Net /Managed: The level of risk after initial control measures have been put in place.
Target level of risk: The level of risk that is desired or will be obtained with the application of further control measure
Ex Crossing the road
Risks classification
Risks can be classified according to the nature of the attributes of the risk.
These can be:
timescale – both at impact and after the event;
source of the risk, for example counterparty or credit risk;
nature of the impact and/or likely magnitude of the risk;
component or feature that will be impacted (eg risks can impact people, premises, processes or products).
Risk Likelihood and Impact
Heat maps.
Ex. Warehouse Fire
STOC - 4 ares of improvement
Organizations that manage risks will be able to achieve the following four areas of improvement, which are abbreviated as STOC throughout this book:
Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.
Tactics: Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.
Impact of Hazard Risks
often insurable as they can only have a negative outcome.
Hazard risk management is concerned with issues such as health and safety at work, fire prevention and avoiding the consequences of defective products.
Hazard risks can cause disruption to normal operations, as well as resulting in increased costs and poor publicity associated with disruptive events.
Hazard risks are related to business dependencies, including IT and other supporting services. The increased dependence on IT systems in most organizations means hazards such as virus infection, deliberate hacking or denial of service attacks assume a high degree of significance.
Risk Attachments
significant risks can be attached to aspects of the organization other than corporate objectives. Significant risks can be identified by considering the key dependencies of the organization, the corporate objectives and/or the stakeholder expectations, as well as by analysis of the core processes of the organization.
For example, Arcadia, a clothes retailer in the UK, failed in 2020 because they had underinvested in online retailing and were unable to effectively maintain business operations (their core operations) when the Covid-19 pandemic disrupted their business model. The risk of underinvestment was magnified by the impact of the pandemic, which drove customers to online channels.
Timescale of Risk Impact
Risks can be considered as having
long-, strategic decisions, 5 years
medium- 1- 2 years, launching a new product
short-term impact - insurable risk, theft, fire
Ex. New software. Long-term decisions. Implementing project - control risk, medium term. Once installed- hazard risk
4 Ps - Categories of operational disruptions
People Lack of people skills and/or resources Inappropriate behaviour by a senior manager Unexpected absence of key personnel Ill health, accident or injury to people
Premises Inadequate, insufficient or denial of access to premises Damage to or contamination of premises Damage to and breakdown of physical assets Theft or loss of physical assets
Processes Poor maintenance of production equipment Disruption by software failure, hacker or computer virus Inadequate management of information Failure of communication or transport systems
Products Poor product or service quality Disruption caused by failure of supplier Delivery of defective goods or components Failure of outsourced services and facilities
