Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

IRM - International Certificate In ERM > Module 1 - Unit 1 (Concepts and Definitions of Risk and Risk Management) > Flashcards

Module 1 - Unit 1 (Concepts and Definitions of Risk and Risk Management) Flashcards

1
Q

Define what is meant by ‘risk’ according to International Organisation for Standardisation (ISO, 2018).

A
  • Risk is the effect of uncertainty on objectives.
  • Note than an effect is a deviation from the expected, and can be positive, or negative.
  • Also, risk is usually expressed in terns of risk sources, potential events, their consequences, and their likelihood.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define what is meant by ‘risk’ according to the Institute of Risk Management (IRM).

A
  • Risk is the combination of the probability of an event and its consequence.
  • Consequences range from positive to negative.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define what is meant by ‘risk’ according to COSO (2017).

A
  • Risk is the probability that an event will occur and affect the achievement of strategy and business objectives
  • Negative and positive outcomes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define what is meant by ‘risk’ according to the Institute of Internal Auditors (IIA).

A
  • Risk is the uncertainty of an event occurring that could have an impact on the achievement of the objectives.
  • Risk is measured in terms of consequences and likelihood.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define what is meant by ‘risk’ according to the Orange Book from HR Treasury.

A

• Risk is uncertainty of outcome, with a range of exposure, arising from a combination of the impact and the probability of potential events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Identify one reason why having a definition of risk is important to organisations.

A

• A risk definition is useful so that everyone understands what a risk is, and that as a result, a consistent approach to managing risks can be achieved.
= aids consistency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identify one potential benefit from having a shared risk vocabulary across an organisation.

A
  • Aids consistency of application across an organisation.
  • Encourages a common understanding across all staff.
  • Enables single, agreed definitions of key aspects of the risk framework.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

State two reasons why common language of risk is required across an organisation if the contribution of risk management is to be maximised.

A
  1. To enable the organisation to develop an agreed perception to risk and attitude to risk.
  2. To allow an organisation to agree a risk classification system or series of such systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

According to Hopkin (2018), what are the different types of risk?

A
  • Hazard (pure) risks
  • Control (uncertainty) risks
  • Opportunity (speculative) risks
  • Compliance (mandatory) risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the differences between:
• Hazard;
• Opportunity; and
• Control risks

A
  • Hazard (pure) risks can only have a negative impact.
  • Opportunity (speculative) risks only have positive, potentially positive impact.
  • Control (uncertainty) risks - the impact is uncertain, and can be negative, or positive.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Provide an example of each of the following categories of risk:
• Hazard (pure) risks;
• Control (uncertainty) risks; and
• Opportunity (speculative) risks.

A
  • Hazard (pure) risk examples include: operational or insurable risks e.g. fire, theft, and fraud risks.
  • Control (uncertainty) risk examples include: tactical, and project risks.
  • Opportunity (speculative) risk examples include: marketplace or commercial risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain the error(s) in the following statement about types of risk: “There are certain risks that can result in both positive and negative outcomes. These risks are called “pure risks”.”

A

You may answer in two ways:

(i) Hazard (pure) risks have only a downside i.e. negative outcomes.
(ii) Risks that have both positive and negative outcomes could be defined as control (uncertainty) risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Complete the following sentence by entering the four missing words:
_______ risks ______ objectives, and the level of _______ of such risks is a measure of their ______.

A

HAZARD risks UNDERMINE objectives, and the level of IMPACT of such risks is a measure of their SIGNIFICANCE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the three actions Tom Brown is undertaking is categorised as a pure risk?
A. Buying 100 lottery tickets.
B. Selling his house even though he receives less than he paid for because he thinks prices will fall further.
C. Going horse riding without wearing a helmet.

A

C. Going horse riding without wearing a helmet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Provide two reasons why a detailed risk description is needed to fully understand a risk.

A
  1. Common understanding of the risk can be identified.

2. Ownership/responsibilities may be clearly understood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

State the 14 components that may be included in a risk description.

A
  1. Name or title of the risk.
  2. Statement of the risk (including the scope of the risks, and details of possible events and dependencies).
  3. Nature of the risk (including details of risk classification and timescale of potential impact).
  4. Stakeholders in the risks (both internal and external).
  5. Risk attitude, appetite, tolerance, limits for the risk and/or risk criteria.
  6. Likelihood and magnitude of event, and consequences should the risk materialise at residual (current) level.
  7. Control standard required, target level of risk or risk criteria.
  8. Incident and loss experience.
  9. Existing control mechanisms and activities.
  10. Responsibility for developing risk strategy and policy.
  11. Potential for risk improvement and level of confidence in existing controls.
  12. Risk improvement recommendations and deadlines for implementation.
  13. Responsibility for implementing improvements.
  14. Responsibility for auditing risk compliance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define ‘Inherent (or absolute, or gross) risk’

A
  • This is the level of risk before any actions or control activities have been taken to change the likelihood or magnitude of the risk.
  • Sometimes referred as the ‘gross level’ or ‘absolute level’ of the risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain the benefit of identifying the inherent level of risk.

A
  • Identifying the inherent level of the risk makes it possible to identify the importance of control measures in place.
  • The difference between the residual level and the inherent level can be identified.
  • The IIA has previously held the view that the assessment of all risks should commence with the identification of the inherent level of risk.
  • The guidance from the IIA has previously stated that “in the risk assessment, we look a the inherent risks before considering any controls”
  • Allows better consideration of whether there is over-control in place.
  • If inherent risks is within appetite, resources may not need to be expended on controlling that risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define ‘residual risk’.

A

Hopkin (2018) defines residual risk to be:
• The existing level of risk taking into account the controls in place.
• Sometimes referred to as ‘net risk’, or ‘managed risk’, but most frequently as ‘residual risk’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define two purposes of carrying out a risk assessment.

A
  1. To identify what is believed to be the current level of risk.
  2. To identify the key controls that are in place to ensure that the current level is actually achieved.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does STOC stand for?

Core Processes

A
  • Strategic
  • Tactical
  • Operational
  • Compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Describe the ways in which risks can impact an organisation’s operations, tactics, and strategy.

A

Operations:
• Making them less efficient and by causing disruption to the operations.
• Risks can also cause damage to the plant or machinery upon which the operations depend.

Tactics:
• Hopkin shows that tactics is often about turning strategy into action through projects and programmes.
• Projects are undertaken in order to make the processes operated in the organisation more effective.
• Risks can impact the timescale for delivery of the project, the costs involved, and/or the performance or achievement of the required specification (quality) of the completed work.

Strategy:
• Should be capable of delivering exactly what is required.
• Strategic risks may affect the long-term viability of the organisation and may arise from the incorrect selection of projects, the failure to predict changes in the marketplace, and failure to anticipate stakeholder demands or competitive behaviour.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define ‘Risk Exposure’.

A
  • Level of risk which the organisation is actually exposed, either with regard to an individual risk, or the cumulative exposure to the risks faced by the organisation.
  • The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materialising and the impact of the risk when it does materialise.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define the term ‘consequences’.

A

Consequences is the effect on the strategic, tactical, operational, and compliance (STOC) core processes resulting from a risk materialising.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define ‘Impact’.

A
  • Impact is the effect on the finances, infrastructure, reputation, and marketplace (FIRM) when a risk materialises.
  • Impact is a risk analysis measure at the residual risk level.
26
Q

Define ‘magnitude’.

A
  • Magnitude is the size of the event when a risk materialises.
  • Sometimes referred as the ‘severity’ of the event.
  • Magnitude is risk analysis measure at the inherent risk level.
27
Q

Define ‘Likelihood’.

A
  • Likelihood is the evaluation or judgement regarding the changes of a risk materialising.
  • Sometimes establishes as a ‘probability’ or ‘frequency’.
28
Q

Draw the ‘Attachment of Risk’ model, clearly indicating the components that “support or deliver”, and “impact or attach”.

A

See Figure 2.1 Hopkin (2018).

29
Q

State 4 different ways in which risks can be attached.

A
  1. Key dependencies
  2. Core processes
  3. Corporate objectives
  4. Stakeholder expectations
30
Q

An organisation’s vision (or mission) statement is central to the impact of risk.
Using the ‘attachment of risk’ theory, explain how a significant risk can impact on the vision or mission of an organisation.

A

A) If you can reproduce the ‘attachment or risk’ model, you will have shown the impact route sufficiently to answer this question.

B) This question related to the tracking of the impact of risk within an organisation’s internal environment using the ‘attachment of risk’ model.
It shows that a significant risk can impact on an organisation’s vision/mission though:
• a failure to meet stakeholder expectation;
• the interruption of a core process or operations such as a supply failure
• the loss of a key dependency to the organisation.

31
Q

Define ‘Key Dependencies’.

A
  • Key dependencies are the key things that the organisation needs to be successful;
  • They might be internal or external things
  • They are what the business depends upon for its future success.
  • FIRM
32
Q

Define ‘Core Processes’.

A
  • Core processes are a set of co-ordinated business ”activities that deliver a specific stakeholder expectation”.
  • That may be strategic, tactical, operational, or compliance (STOC).
33
Q

Define ‘Stakeholders’.

A
  • Stakeholders are the groups or individuals who have a stake in the business
  • Or have an interest in the activities of the organisation
  • Summarised by CSFSRS (customers, staff, financiers, society, regulators, suppliers).
34
Q

Explain three possible impacts of the ‘attachment of risks’ model to different aspects of an organisation.

A

• Risks can be attached to several features of an organisation, including:

  1. Corporate objectives
  2. Stakeholder expectations
  3. Key dependencies
  4. Corporate objectives
    • are normally used for the attachement of risks, but this will only be successful if corporate objectives are fully stated.
    • CO tend to be annualised change objectives for most organisations.
    • Many organisations fail to fully state their operational objectives.
  5. Stakeholder expectations
    • Different stakeholders in an organisation may have different expectations.
    • It is possible that these expectations will be contradictory.
    • An organisation will need to decide which expectations it is going to deliver and identify the risks that will impact the delivery of those stakeholder expectations.
  6. Key dependencies
    • Represent the features that the organisation depends on in order to be successful.
    • KP can be identified in relation to financial, infrastructure, reputational, and marketplace components of the organisation. (FIRM).
35
Q

List three disadvantages associated with ‘objects-driven’ approach to risk and risk management.

A
  1. Risks are greater in circumstances of change.
  2. The analysis of each objective in turn may not lead to robust risk recognition / identification.
  3. Business objectives are usually stated at too high level of the successful attachment of risks.
  4. There is a danger of considering risks out of the context that gave risk go them.
  5. Risks that are analysed in a way that is separated from the situation that led them will not be capable of rigorous and informed evaluation.
36
Q

Draw a diagram, which shows the trade-off between risks and reward during the life-cycle of an organisation.

A

See Figure 2.2 ‘Risk and reward’ Hopkin (2018).

37
Q

With reference to Hopkin’s Figure 2.2 ‘Risk and Reward’, describe the 4 stages represented in the diagram.

A
  • Figure 2.2 illustrates the relationship between the level of risk and the anticipated size of reward.
  • The value at risk represents the risk appetite of the organisation with respect to the activity that it is undertaking.
  • Applies to opportunity risk.
  1. Start-up Operation
    • New organisation or new product (high risk, and initial expected low return).
  2. Growth
    • Growth phase for the business or product.
    • As the business develops (high risk, high return)
  3. Mature Operation
    • Investment matures (high return, low risk)
  4. Decline
    • Organisation becomes fully mature
    • The normal expectation in very mature markets is that the organisation or product will be in decline (low risk, low return)
38
Q

In terms of hazard risks, project risks, and opportunity risks, define a potential benefit for each as a result of increase risk management efforts.

A

Hazard risks:
• Fewer disruptive events

Project risks:
• Project is more likely to be delivered on time, within budget, and to specification/quality.

Opportunity risks:
• Risk versus reward analysis should result in fewer unsuccessful products, and a high level of profit.
• Or, at worse, a lower level of loss for all new activities or new products.

39
Q

What are the four sources of hazard risks / categories of operational disruption?

A 
4P’s
• People
• Premises
• Processes
• Products
40
Q

For each of the 4 categories of operational disruption / sources of hazard risks, provide an example.

A
  1. People
    • Lack of people skills and/or resources
    • Unexpected absence of key personnel
  2. Premises
    • Theft or loss of physical assets
    • Damage to and breakdown physical assets
  3. Processes
    • Failure of IT hardware or software systems
    • Disruption by hacker or computer virus
  4. Products
    • Poor product or service quality
    • Disruption caused by failure of supplier.
41
Q

According to Hopkin (2018), what are the sources of risk, and their timescale of impact?

A

Long-term:
• Strategic risks
• Impact years after event occurs
• E.g. a launch of a new product, the result of that decision may not be fully apparent for some time

Medium-term:
• Tactical (project) risks.
• Impact about a year later after the event occurs
• E.g. a new computer system is to be installed (long-term strategic decision) however, the decisions regarding the project to implement the software will be medium-term decisions.

Short-term:
• Operational risks.
• Impact immediately after the event occurs
• E.g. accidents at work, traffic accidents, fire, and theft are all short-term risks that have an immediate impact and immediate consequences as soon as the event has occurred.

All-term:
• Compliance risks
• Impact can be at any time.

42
Q

Describe the event that triggered the failure of Northern Rock.

A
  • The liquidity crisis resulted in customers queuing to withdraw their savings.
  • The trigger for the crisis was the drying up of liquidity in the global institutional debt markets - known as the ‘wholesale’ market - following a rise in mortgage defaults in the US.
  • These defaults were concentrated in ‘sub-prime’ mortgages - home loans to borrowers with poor credit quality.
  • Northern Rock built up its mortgage portfolio very rapidly, and became more reliant on the wholesale markets for finance, rather than personal savers.
  • As liquidity in the wholesale markets dried up, Northern Rock’s business model began to unravel.
43
Q

What are the levels of sophistication in terms of Figure 4.2 ‘Risk Management Sophistication’ in Hopkin (2018)?

A
  • Inform -> Compliance management (minimise) unaware of obligations
  • Reform -> Hazard management (mitigate) fearful of requirements
  • Conform -> Control management (manage) auditing of compliance
  • Perform -> Opportunity management (embrace) achievement of benefits
  • Deform
44
Q

What are the levels of risk management sophistication (maturity) in terms of the 4N’s?

A
  • Naïve
  • Novice
  • Normal
  • Natural
45
Q

What are the four levels of sophistication in terms of FOIL?

A
  • Fragmented
  • Organised
  • Influential
  • Leading
46
Q

What does FIRM stand for in terms of risk consequences?

A
  • Financial
  • Infrastructure
  • Reputational
  • Marketplace
47
Q

State four purposes of the ‘bow-tie’ risk analysis technique.

A
  1. A tool for representing the risk management activities/processes
  2. Demonstrates the risk classification systems used by the organisation and the potential range of impacts should a risk materialise
  3. To illustrate the various types of controls that are available to an organisation
  4. Is a simple way of analysing a risk to gain a greater understanding
48
Q

What is the definition of ‘Risk Source’ according to ISO31000?

A

ISO31000 defines ‘risk source’ as the “element which alone or in combination has the potential to give rise to risk”.

49
Q

Describe the different components of the ‘bow-tie’ risk analysis technique.

A
  1. (LHS) Source:
    • Risk classification system used by the organisation for the sources of risk
    • High-level sources of risk can be described as strategic, tactical, operational, and compliance (STOC)
  2. (RHS) Impact:
    • Impact should the risk materialise / event occur
    • High-level components of financial, infrastructure, reputational, and marketplace (FIRM)
    • FIRM enables the identification of response controls
  3. (CENTRE) Risk Event
    • Categories of disruption that can affect organisations
    • 4P’s of operational disruption, people, premises, products, and processes.
  4. (VERTICAL LINES) Controls
    • LHS - controls can be put in place to prevent the event occurring.
    • RHS - recovery/response controls
    • PCDD - preventative, corrective, directive, and detective.
50
Q

State two reasons why understanding the history of risk management can be useful.

A
  1. You will need to understand risk management history to explain where we are now in risk management and where this lead in the future.
  2. History tells us that new risks come, and old risks disappear - We can learn lessons on how people reacted to new, emerging risks.
51
Q

Describe the development of risk management, referring to points in time.

A
  • Earliest origins in the specialist activity of insurance can trace back to several centuries.
  • 1950’s - escalating insurance costs
  • 1960’s-1970’s - financial / insurance based (hazard focused e.g. health and safety). Contingency planning became more important.
  • 1970’s - Contingency plans developed into Business Continuity planning and Disaster Recovery plans.
  • 1980’s - Risk management techniques applied to project risks. Focus on market risks and credit risks.
  • 1990’s - Organisations consider operational risks, and first CRO appointed.
  • 2000’s - Rise of holistic ERM approach and specialisation. Sarbanes-Oxley Act introduced in the United States in 2002.
52
Q

In terms of the IRM’s 8Rs and 4Ts of (hazard) risk management, what are the 8T’s?

A
  1. Recognition (identification) or risks.
  2. Rating (evaluation) of risks in terms of magnitude and likelihood (Inherent rating) that is recorded in the risk register.
  3. Ranking (analysis) of the residual level of risk against the risk appetite.
  4. Responding to significant risks (4T’s).
  5. Resourcing controls to ensure the adequate arrangements are made to introduce and sustain necessary control activities.
  6. Reaction planning/event management (DRP/BCP).
  7. Reporting and monitoring of risk performance, actions, and events and communicating of risk issues via the risk architecture of the organisation.
  8. Reviewing the risk management system, including Internal Audit procedure, and arrangements for the review and updating of the risk architecture, strategy, and protocols.
53
Q

In terms of the IRM’s 8Rs and 4Ts of (hazard) risk management, what are the 4T’s (risk response)

A
  • Treat
  • Tolerate
  • Transfer
  • Terminate
54
Q

Define ‘risk management’ according to the IRM.

A
  • Risk management is a process which aims to help organisations to understand, evaluate, and take action on all their risks
  • with a view to increasing the probability of success and reducing the likelihood of failure.
55
Q

Define what is meant by ‘risk management’ according to International Organisation for Standardisation (ISO, 2018).
- ISO31000

A

• Risk management is a set of coordinated activities to direct and control and organisation with regards to risk.

56
Q

Define what is meant by ‘risk management’ according to COSO (2017).

A
  • The culture, capabilities and practices
  • integrated with strategy setting and it’s execution, that organisations rely on
  • to manage risk in creating, preserving, and realising value.
57
Q

Define what is meant by ‘risk management’ according to the Orange Book from HR Treasury.

A
  • Risk management is all the processes involved in identifying, assessing, and judging risks
  • assigning ownership, taking actions to mitigate or anticipate them
  • and monitoring and reviewing progress
58
Q

Define ‘Enterprise Risk Management’ according to the Risk and Insurance Managers Society (RIMS)

A
  • Enterprise Risk Management (ERM) is a strategic business discipline
  • that supports the achievement of an organisation’s objectives
  • by addressing the full spectrum of its risks
  • and managing the combined impact of those risks as an interrelated risks portfolio

Note: ERM takes a more integrated and holistic approach compared to RM.

59
Q

An effective Risk management framework is underpinned by a set of principles, what are they?

A

PACED

  • Proportionate - to the level of risk the organisation faces (in terms of the size, nature, and complexity)
  • Aligned - ERM activities should be aligned with other activities within the organisation.
  • Comprehensive - any risk management initiative covers all the aspects of the organisation and all the risks that it faces (systematic and structured)
  • Embedded - With business procedures and protocols
  • Dynamic - and responsive to changing business environment faced by the organisation, and to emerging and changing risks.
60
Q

Describe the benefits of Enterprise Risk Management in terms of MADE2.

A

Successful ERM should deliver the following objectives (MADE2):

  • Mandatory - organisation complies with legal and regulatory obligations, as well as customer or client requirements.
  • Assurance - the board and audit committee will require assurance that significant risks have been identified, and controls put in place.
  • Decision-making - is properly considered in relation to strategic decision-making, effective delivery of projects and programmes of work, and the routine operations of the organisation.
  • Effective & Efficient Core Processes - STOC and the selected strategy need to be effective and efficient, in that it is capable of delivering exactly what is required.
61
Q

Describe the benefits of Enterprise Risk Management in terms of FIRM.

A

• Financial

  • Enhanced corporate governance
  • Increased profitability of an organisation
  • Accurate financial risk reporting

• Infrastructure

  • Reduced operating costs
  • Efficiency and competitive advancement
  • Achievement of the state of no disruption
  • Improved supplier and staff morale

• Reputational

  • Regulators satisfied
  • Enhanced shareholder value
  • Good reputation and publicity
  • Improved perception of organisation

• Marketplace

  • Better marketplace presence
  • low ratio of business disasters
  • Commercial opportunities maximised
  • Increased customer spend (and satisfaction)
62
Q

List four steps that will help you achieve the successful ERM in your organisation.

A
  1. ) Engage Senior Management and the Board of Directors to provide organisational support and resources.
  2. ) Establish an independent ERM function reporting directly to a board member.
  3. ) Establish the risk architecture at Executive and Board levels, supported by Internal Audit.
  4. ) Develop an ERM framework that incorporates an appropriate Risk Classification System.
  5. ) Develop a risk aware culture that is fostered by common language, training and education.
  6. ) Provide written procedures with clear statement of the risk appetite of the organisation.
  7. ) Agree monitoring and reporting against established objectives for risk management.
  8. ) Undertake risk assessments to identify accumulations and interdependencies of risk.
  9. ) Integrate ERM in strategic planning, business processes, and operational success.
  10. ) Contribute to the success of the organisation by delivering measurable benefits.

IRM - International Certificate In ERM (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions