Module 1, Unit 1 Key concepts in RM Flashcards
Distinguish between Risk and Risk Management
What is ISO31000 definition of Risk Management
Coordinated activities to direct and control an organisation with regard to risk.
What is ISO31000 categories of risk
- Compliance – mandatory risks - Hopkin regards these as threats
- Hazard risks – negative risks - Hopkin regards these as threats
- Control risks – uncertainty - Hopkin regards these as threats
- Opportunity risks – positive risk
Explain what a compliance risk is (threats)
Mandatory Risk
Adheres to Law and Regulation
Legal and Financial penalties for failing to act
Compliance represents a licence to operate
Example: New org would need to be authorised by authorities to run..
Explain what a hazard risk is (threats)
Negative Risk
Potential to harm objectives
Often insurable as they can only have a negative effect
Most common risks in RM including occupational health and safety progs
Example is theft, H&S at work, fire prevention, IT hacking
Explain what a Control risk is (threats)
Uncertainty Risks- unknowns that are difficult to quantify
Example: When they design their new software , control risks will arise (unknowns that are difficult to quantify)
Explain what Opportunity Risks are (positive risk)
Risks associated with taking the opportunity and
Risks of not acting (not always a positive outcome)
During changing environment of the global pandemic, organizations have deliberately taken risks in order to survive.
These can be considered as opportunity or speculative risks.
Some organizations have altered their business models, for example a farm shop providing new services such as ‘click and collect’ or delivery services.
The purpose has been to take action that involves risk to achieve positive gains or, in extreme cases, survival.
Example: When released they may have opportunity to sell to another company thereby attracting new customers
Name some risk specialisms
Insurance, H&S, Financial, Info technology, Project, Programme,
Explain a definition of risk for the certificate
uncertainty’s that matter or
the effect of uncertainty on objectives, considering both sides of the coin - threats and opportunities
Explain Inherent level of risk
The level of risk before any actions have been taken to change the likelihood or magnitude of the risk
Sometimes referred to as the ‘gross’ or absolute risk.
Explain Residual level of risk
The level of risk after initial control measures have been put in place
The current or residual level of risk is sometimes referred to as the ‘net’ or the managed level of risk.
Explain target level of risk
The level of risk that is desired or will be obtained with the application of further control measures
Name four areas of improvement that managing risks can bring to an organisation (STOC) and why
Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.
Tactics: Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.
What is an organisations approach to assess, pursue, retain, take or turn away from risk called….
Risk Attitude
What is the amount and type of risk an org is willing to take to pursue or retain its objectives
Risk Appetite
Define the word Impact and what it affects ‘Acroymn’
How the event affects the finances, infrastructure, reputation and or marketplace (FIRM) of the org
Define a cause
OB - an element which alone or in combination has the potential to give rise to the risk
Define an event
an occurrence or change of circumstances (can be something that is expected which doesn’t happen, or something that is not expected that does happen)
Events can have multiple causes and consequences and can affect multiple objectives
Define a consequence
‘should the event happen’. Consequences are the outcome of an event affecting objectives, which can be certain or uncertain, can have positive or negative direct or indirect effects on objs, can be expresses qualitatively or quantitatively and can escalate through cascading and cumulative effects.
What’s the difference between Risk and Risk Management
Risks are considered as uncertainties that matter i.e. the effect on objectives, considering both sides of the coin, threats and opportunities,
ISO 31000 defines risk management
‘Coordinated activities to direct and control an organisation with regard to risk.’
Effective risk management helps organisations to identify, understand and manage the risks, thereby maximising the likelihood of achieving their objectives. And this is the first and overriding purpose of risk management.
What is ERM
Recognises risks in one area can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation.
Also strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio
Name Risk Specialisms
insurance, health and safety, information technology and financial risk management.
ERM was developed to overcome silo based approach
Name the four categories/types of risk
Compliance (mandatory) and law regulations
Hazard (threats - negative insurable risks)
Control (unexpected or unknown risks)
Opportunities (positive risk)
Name the three recognised international standards and frameworks
ISO31000 (2018)
COSO (2004 and 2017)
Orange book (2023)
Define a Control Risk
Unknown or unexpected events.
