Module 1, Unit 1 Key concepts in RM Flashcards
Distinguish between Risk and Risk Management
Give examples of the definition of risk
- A risk has to be something that is uncertain. It is common therefore to find words such uncertain, potential, likelihood used in definitions.
- A risk can be both positive and negative. It is common therefore to find words such as opportunities and threats, pros and cons, positives and negatives being used.
- A risk needs to be something that if it happens will impact on what we are trying to achieve. This might be your team, your organisation or broader society. Remember that you should always consider not just the impact of the world on you, but also your impact on the world
What is ISO31000 definition of Risk Management
Coordinated activities to direct and control an organisation with regard to risk.
What is ISO31000 categories of risk
- Compliance – mandatory risks - Hopkin regards these as threats
- Hazard risks – negative risks - Hopkin regards these as threats
- Control risks – uncertainty - Hopkin regards these as threats
- Opportunity risks – positive risk
Explain what a compliance risk is (threats)
Mandatory Risk
Adheres to Law and Regulation
Legal and Financial penalties for failing to act
Compliance represents a licence to operate
Example: New org would need to be authorised by authorities to run..
Explain what a hazard risk is (threats)
Negative Risk
Potential to harm objectives
Often insurable as they can only have a negative effect
Most common risks in RM including occupational health and safety progs
Example is theft, H&S at work, fire prevention, IT hacking
Explain what a Control risk is (threats)
Uncertainty Risks- unknowns that are difficult to quantify
Example: When they design their new software , control risks will arise (unknowns that are difficult to quantify)
Explain what Opportunity Risks are (positive risk)
Risks associated with taking the opportunity and
Risks of not acting (not always a positive outcome)
During changing environment of the global pandemic, organizations have deliberately taken risks in order to survive.
These can be considered as opportunity or speculative risks.
Some organizations have altered their business models, for example a farm shop providing new services such as ‘click and collect’ or delivery services.
The purpose has been to take action that involves risk to achieve positive gains or, in extreme cases, survival.
Example: When released they may have opportunity to sell to another company thereby attracting new customers
Name some risk specialisms
Insurance, H&S, Financial, Info technology, Project, Programme,
Explain a definition of risk for the certificate
uncertainty’s that matter or
the effect of uncertainty on objectives, considering both sides of the coin - threats and opportunities
Explain Inherent level of risk
The level of risk before any actions have been taken to change the likelihood or magnitude of the risk
Sometimes referred to as the ‘gross’ or absolute risk.
Explain Residual level of risk
The level of risk after initial control measures have been put in place
The current or residual level of risk is sometimes referred to as the ‘net’ or the managed level of risk.
Explain target level of risk
The level of risk that is desired or will be obtained with the application of further control measures
Name four areas of improvement what managing risks can bring to an organisation (STOC)
Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.
Tactics: Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.
What is an organisations approach to assess, pursue, retain, take or turn away from risk called….
Risk Attitude
What is the amount and type of risk an org is willing to take to pursue or retain its objectives
Risk Appetite
Define the word Impact and what it affects Acroymn
How the event affects the finances, infrastructure, reputation and or marketplace (FIRM) of the org
Define a cause
OB - an element which alone or in combination has the potential to give rise to the risk
Define an event
an occurrence or change of circumstances (can be something that is expected which doesn’t happen, or something that is not expected that does happen)
Events can have multiple causes and consequences and can affect multiple objectives
Define a consequence
‘should the event happen’. Consequences are the outcome of an event affecting objectives, which can be certain or uncertain, can have positive or negative direct or indirect effects on objs, can be expresses qualitatively or quantitatively and can escalate through cascading and cumulative effects.
What’s the difference between Risk and Risk Management
Risks are considered as uncertainties that matter i.e. the effect on objectives, considering both sides of the coin, threats and opportunities,
ISO 31000 defines risk management
‘Coordinated activities to direct and control an organisation with regard to risk.’
Effective risk management helps organisations to identify, understand and manage the risks, thereby maximising the likelihood of achieving their objectives. And this is the first and overriding purpose of risk management.
What is ERM
Recognises risks in one area can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation.
Also strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio
Name Risk Specialisms
insurance, health and safety, information technology and financial risk management. ERM was developed to overcome silo based approach
Name the four categories/types of risk
Compliance (mandatory) and law regulations
Hazard (threats - negative insurable risks)
Control (unexpected or unknown risks)
Opportunities (positive risk)
Name the three recognised international standards and frameworks
ISO31000 (2018)
COSO (2004 and 2017)
Orange book (2023)
Define a Control Risk
Unknown or unexpected events.
Name the three important historic events in RM
Intro of Hindu Arabic numbering system In Europe
* This introduced the first numbering system to allow advance calculations in 100s, 1000’s and negative numbers. This provided basis for modern maths and science
Invention of probability theory 17th Century
* Invented first for games of chance and gambling (dice/ cards)
* Used to mathematically calculate the odds of winning (probability theory) which meant people could make predictions and theories with the help of numbers
Growth of modern bureaucratic states 19th Century
* Where we collect large quantities of information like Economic affairs and population which generated lots of data used to analyse and predict a wide variety of events
What are four areas of improvement an organisation can achieve by using RM
These are also the four CORE areas - Acroymn
STOC
Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.
Tactics (actions): Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.
Name some soft and hard benefits of risk management
Soft: People benefits such as improving working relationships
Hard: Higher return on investment.
Name four benefit areas of ERM (chapman)
Strategy,
Governance,
Organisational Perf,
People
What’s the importance and value (benefits) of RM from Governance Perspective
Complies with legal and regulatory req,
Enhances corporate gov
Embed the risk process through org
Rationalise Capital.
Why is risk important (acronym)
Strategy: risks associated with diff strategic options will be fully analysed, better strategic decisions will be reached.
Tactics: Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addresse
What is corporate governance
System of
rules,
practices,
processes
by which an org is directed and governance.
What approach is GRC used to deliver objs whilst delivering uncertainty)
Governance, risk and compliance approach
What are the four types of risk?
Control/Uncertainty
Hazard
Opportunity
Compliance
How can risks be classified?
Risks can be classified according to:
Nature of the impact (financial, infrastructure, reputation damage, marketplace)
Likely magnitude of risk
Timescale of impact after the event occurs
Source of the risk
The component or feature of the organisation that will be impacted (people, premises, products, or processes)
What is the difference between impact and magnitude?
Magnitude is the inherent level of the event whilst impact can be considered to be the risk managed level.
Define ‘impact’ - failure to define how the event affects… Acroymn
and ‘consequences’ - results in failure to achieve… Acroymn
Impact is used to define how the event affects the finances, infrastructure, reputation, or market place.
Consequences is used to indicate the extent to which the event results in failure to achieve efficient and effective strategy, tactics, operations, and compliance.
What are the time frames associated with long, medium and short term impacts?
Long term - impact is several years later. E.g launch o& new product
Medium term - some time after the event, typically about a year e.g. a project or programme of work
Short term - immediately after event e.g. accident at work
Give a definition of risk management
ISO73 - Co-ordinated activities to direct and control an organisation with regard to risk
IRM - process which aims to help organisations understand, evaluate, and take action on all their risks with a view to increasing the probability of success
HM Treasury - all the processes involved in identifying, assessing and judging risks assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.
LSE - selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce risk
Hopkin - the set of activities within an organisation undertaken to deliver the most favourable outcome and reduce the volatility or variability of that outcome.
What are the 8R’s?
Recognise - the risk and circumstances it could arise in
Rate - in terms of likelihood and magnitude
Rank - against criteria (or risk appetite)
Respond - to significant risks (the four T’s)
Resource controls
Reaction planning
Report- monitoring of risk performance
Review - the risk management system, including internal audit
What are the 4 T’s
Tolerate
Treat
Transfer
Terminate
What are the five levels of risk management sophistication?
Clue: *FORMS
Unaware of obligations - INFORM
Awareness of non compliance - REFORM
Actions to ensure compliance - CONFORM
Achieve business opportunities - PERFORM
Inactivity caused by obsession - DEFORM
What are the principles of a successful risk management framework?
Acronym
PACED
Proportionate to the level of risk in the organisation
Aligned with other business activities
Comprehensive systematic and structured
Embedded within business procedures and protocols
Dynamic, iterative, and responsive to change
What are the desired outputs/objectives of risk management? Acroymn
Mandatory obligations placed on the organisation complied with
Assurance regarding the management of significant risks
Decision making that pays full regard to risk considerations
Effective and efficient core processes (STOC)
MADE2
