Module 1 - Unit 1 - Introduction To Risk Management Flashcards
Give examples of the definition of risk
Oxford English Dictionary - a chance or possibility of danger, loss, injury or other adverse consequence.
ISO guide 73 - the effect of uncertainty on objectives. Note that this may be positive or negative or a deviation from the expected. Also risk is often described by an event, a change in circumstances, or a consequence.
This definition appears to assume some familiarity with risk management and may not be easy to apply to everyday life.
IRM - risk is the combination of the probability of an event and it’s consequence. Consequences can range from positive to negative.
Orange book - uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of potential events
Institute of internal auditors - the uncertainty of an event occurring that could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and likelihood.
What are the four types of risk?
Control/Uncertainty
Hazard
Opportunity
Compliance
How can risks be classified?
Risks can be classified according to:
Nature of the impact (financial, infrastructure, reputation damage, marketplace)
Likely magnitude of risk
Timescale of impact after the event occurs
Source of the risk
The component or feature of the organisation that will be impacted (people, premises, products, or processes)
What is the difference between impact and magnitude?
Magnitude is the inherent level of the event whilst impact can be considered to be the risk managed level.
What are the four core processes?
Strategy
Tactics
Operations
Compliance
What factors are relevant to risk description
Name or title of the risk
Statement of the risk, including scope of the risk and details of potential impact
Nature of risk, including details of the risk classification and timescale of potential impact
Stakeholders in the risk, internal and external
Risk attitude, appetite, tolerance, limits for the risk and/or risk criteria
Likelihood and magnitude of the event and consequences should the risk materialise at current/residual level
Control standard required, target level of risk or risk criteria
Incident and loss experience
Existing control mechanisms and activities
Responsibility for developing risk strategy and policy
Potential for risk improvement and level of confidence in existing controls
Risk improvement recommendations and deadlines for implementation
Responsibility for implementing improvements
Responsibility for auditing risk compliance
What are the options for risk attachment?
What is the rationale for risk attachment?
Corporate objectives
Stakeholder expectations
Key dependencies
Core processes
The rationale for the attachment of risk is that organisations should map out the consequences of risk in order to fully analyse their impact.
Define ‘impact’ and ‘consequences’ respectively
Impact is used to define how the event affects the finances, infrastructure, reputation, or market place.
Consequences is used to indicate the extent to which the event results in failure to achieve efficient and effective strategy, tactics, operations, and compliance.
What are the time frames associated with long, medium and short term impacts?
Long term - impact is several years later. E.g launch o& new product
Medium term - some time after the event, typically about a year e.g. a project or programme of work
Short term - immediately after event e.g. accident at work
Give a definition of risk management
ISO73 - Co-ordinated activities to direct and control an organisation with regard to risk
IRM - process which aims to help organisations understand, evaluate, and take action on all their risks with a view to increasing the probability of success
HM Treasury - all the processes involved in identifying, assessing and judging risks assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.
LSE - selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce risk
Hopkin - the set of activities within an organisation undertaken to deliver the most favourable outcome and reduce the volatility or variability of that outcome.
What are the 8R’s?
Recognise - the risk and circumstances it could arise in
Rate - in terms of likelihood and magnitude
Rank - against criteria (or risk appetite)
Respond - to significant risks (the four T’s)
Resource controls
Reaction planning
Report- monitoring of risk performance
Review - the risk management system, including internal audit
What are the 4 T’s
Tolerate
Treat
Transfer
Terminate
What are the four levels of risk management sophistication?
Unaware of obligations - INFORM Awareness of non compliance - REFORM Actions to ensure compliance - CONFORM Achieve business opportunities - PERFORM Inactivity caused by obsession - DEFORM
What are the principles of a successful risk management framework?
Proportionate to the level of risk in the organisation
Aligned with other business activities
Comprehensive systematic and structured
Embedded within business procedures and protocols
Dynamic, iterative, and responsive to change
What are the desired outputs/objectives of risk management?
Mandatory obligations placed on the organisation complied with
Assurance regarding the management of significant risks
Decision making that pays full regard to risk considerations
Effective and efficient core processes (STOC)
MADE2
