Module 1 Unit 3 Risk Context, Obj and assessment Flashcards

Question

What should you consider when planning your approach to define the context (ISO31000)

Answer 1

Objectives and decisions that need to be made Outcomes expected from the activities Time, Location, specific inclusions and exclusions Appropriate Risk Assessment tools and techniques Resources required and Responsibilities and records to be kept Relationships with other projects, processes and activities.

Answer 2

Organizations should define criteria to evaluate the significance of risk and support decision-making. Risk criteria should consider uncertainties affecting outcomes and objectives, and how consequences and likelihood will be defined and measured.

Answer 3

Need to define Internal and External environment in which you operate in Should reflect specific environment to which the RM activities are to be applied Sets structure and foundation for which Risk Assessment will be applied and ensures the reasons for this are clear Provides backdrop against which risks can be identified and assessed

Answer 4

Specify the amount and type of risk you may or may TAKE, RELATIVE TO YOUR OBJECTIVES

Answer 5

Risk Appetite - specifies a technique to determine the magnitude (using a risk matrix) of a risk, or a parameter (sets the conditions) related to risk, together with a limit beyond which risk becomes unacceptable. A common technique to determine the magnitude of a risk and identify an unacceptable level is to use a risk matrix, which typically involves assessing both the likelihood of a risk occurring and the severity of its potential impact, often assigning numerical values to each factor and multiplying them together to calculate a "risk score" that indicates the overall magnitude; a predetermined threshold (Risk Appetite) on this risk score defines the point where a risk becomes unacceptable.

Answer 6

use a risk matrix, which typically involves assessing both the likelihood of a risk occurring and the severity of its potential impact, often assigning numerical values to each factor and multiplying them together to calculate a "risk score" that indicates the overall magnitude

Answer 7

When evaluating risks, you compare their size to certain criteria related to your goals/objectives. This helps you decide which risks need attention based on their potential to affect your goals. However, the size of the risk isn't the only thing that matters. Other factors include sustainability, resilience, ethics, laws, how well controls work, what happens if controls fail, timing, costs, and what stakeholders think.

Answer 8

Organisations often face decisions that affect multiple goals, with both potential risks and benefits. To make these decisions, they need to meet certain criteria and balance competing objectives. It's important to identify relevant criteria and decide how to weight them or make trade-offs. Different stakeholders might have different costs and benefits, so this should be considered. Also, organizations need to decide how to handle uncertainties, which involves their attitude, appetite, and tolerance for risk.

Answer 9

It is your approach to assess and eventually pursue, retain, take or turn away from risk

Answer 10

It is the amount and type of risk that you are willing to pursue or retain to achieve your objectives and outcomes

Answer 11

It is your readiness to bear the risk after risk treatments are implemented to achieve your objectives and outcomes.

Answer 12

KPIs that are tracked on a regular basis Strategic Objectives, KPI, KPI target and projects that may move you towards achievement You then do the same again for operational. So how do we achieve the DP, then CP, then individual directorate objectives with KPIs, Targets and the HOW we could do this to move towards achieving this objective. (projects)

Answer 13

The IRM define the extended enterprise as “a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own” within the timescale within which they wish to operate, with the skills available to them.

Answer 14

Key dependencies are the key things that the organisation needs to be successful; they might be internal or external things but in short, they are what the business depends upon for its future success. Core processes are fundamental to organisational success because they are the means of delivery of strategy and continuity of operations. A core process can be defined as “the collection of activities that deliver a specific stakeholder expectation”. Stakeholders are the groups of individuals who have a stake in the business, or are affected by what the organisation does – such as investors, suppliers, customers, the wider society and government.

Answer 15

SWOT and consider Dependencies, Core Processes and Stakeholders.

Answer 16

ISO 31000 states that “the purpose of risk identification is to find, recognise and describe risks that might help or prevent an organisation achieving its objectives”.

Answer 17

A cause is an element which alone or in combination has the potential to give rise to risk

Answer 18

An event is an occurrence or change of a set of circumstances and can be something that is expected which does not happen or something that is not expected which does happen. Events can have multiple causes and consequences and can affect multiple objectives

Answer 19

the consequences should the event happen – consequences are the outcome of an event affecting objectives, which can be certain or uncertain, can have positive or negative direct or indirect effects on objectives, can be expressed qualitatively or quantitatively, and can escalate through cascading and cumulative effects

Answer 20

A bow Tie diagram Centre of bow tie is the risk (Event) left are the immediate and underlying threats or causes. To the right are the immediate and ultimate consequences.

Answer 21

Because it requires us to look at the causes of the risks from all aspects of the enterprise (not just at one level) and similarly to map enterprise-wide consequences ( so several contributory causes for one risk) Note that the risk bow-tie can be used for both threats and opportunities.

Answer 22

Questionnaires and checklists workshops and brainstorming inspections and audits flow charts and dependency analysis crowdsourcing technology

Answer 23

SWOT and PESTLE

Answer 24

Hazard and operability (HAZOP) and Failure modes effects analysis (FMEA)

Answer 25

Unlikely, Possible, Likely and Almost Certain ( four stops people choosing the middle option)

Answer 26

Small, moderate, severe, catastrophic ( hospital example)

Answer 27

Those which you know little about when they are recognised. A risk that is evolving in areas and ways where the body of available knowledge is weak. Differences between emerging risks and BAU Risks: being ambiguous, chaotic, complex, time-horizon can change, uncertain, uncontrollable, and volatile.

Answer 28

Adherence to the law and regulations Captures legal and financial penalties for failing to act Represents a licence to operate

Answer 29

Undermines objectives in a negative way. Most commons associated with operational risks inc H&S programmes Example is theft

Answer 30

ISO 31000 (2018) states: ‘The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk.’ They follow this up with a note to the effect that ‘…risk analysis provides an input into risk evaluation, to decisions on whether risk needs to be treated and how.’

Answer 31

Analysing Risks: * Involves understanding the nature, sources, and potential impacts of identified risks. * Focuses on determining the likelihood and consequences of risks. * Uses qualitative and quantitative methods to assess risk characteristics. Evaluating Risks: * Involves comparing the results of risk analysis against risk criteria to determine their significance. * Helps prioritize risks based on their potential impact and likelihood. * Aims to decide which risks need treatment and the best ways to manage them. In short, analysing risks is about understanding them, while evaluating risks is about deciding what to do about them.

Answer 32

Looking at past records. Looking at personal relevant experience (and intuition). Looking at industry-relevant experience of the risk. Looking at published literature on the risk. Doing some testing or experiments (e.g., market research). Using economic or statistical models to make forecasts. Using experts in the area of that risk to make judgments. These activities help you understand the nature, sources, and potential impacts of risks.

Answer 33

Comparing the risks based on potential impact to your objectives. Comparing the potential likelihood of happening. Comparing relative velocity. Comparing relative vulnerability of different parts of the organization the risks are linked to. Comparing relative exposure of different parts of the organization the risks are linked to. Considering proximity. Assessing the level of action or control needed to manage the risks to a desired (target) state. Comparing the relative difficulty of managing those risks. Considering the relative influence of a single risk on other risks (dependency/cascade factor). These activities help you prioritize and decide which risks need treatment and how to manage them.

Answer 34

Three steps to give a simple value chain for an org. 1. Core activities of team, function, department, project or org - what is it that you do 2. The key inputs to those activities - what do you need in order to do what you do 3. The key outputs from those core activities - what is it that you deliver from those core activities

Answer 35

13, Strategy, Governance, Operations, Legal, Property, Financial, Commercial, People, Technology, Information, Security, Proj/Prog and Reputational.

Answer 36

Political, Economic, Social, Technological, Legal, Environmental (PESTLE) To identify INTERNAL/EXTERNAL Context

Answer 37

Top left - Keep Satisfied, Top right - Actively Engage and Manage, Bottom Left - Minimal Effort and Bottom Right - Keep Informed.

Answer 38

Exploration of what the future might look like to understand uncertainties better and to analyse whether the organisation is adequately prepared for potential opportunities and threats”. It is not about trying to predict the future but rather to review options so that evidence-based decisions can be made”.

Answer 39

SPECIFIC – be specific about what you want to accomplish MEASUREABLE – define the metrics that determine if you meet the goal ACHIEVEABLE – do you have the tools/skills needed, if not what action RELEVANT – ensure the objective is aligned to the business strategy TIME-BOUND – provide a realistic target date for delivery.

Answer 40

Risk criteria measure how much risks matter to an organization in relation to its ability to achieve objectives. This links to risk analysis, risk evaluation, and risk appetite.

Answer 41

Structure and Processes: Divisions, departments, structures, systems, processes, and accountability. Culture and Leadership: Organizational culture, leadership, strengths, and weaknesses. Internal Stakeholders: Staff, managers, and the board. Corporate Governance: Approach to governance, resources, competencies, capabilities, and conduct. Objective Setting: Factors influencing how objectives are set and achieved.

Answer 42

What are our objectives? What is our capacity? What are our business processes? How do we make decisions?

Answer 43

The external context includes the external environment where an organisation operates, affecting its ability to achieve objectives

Answer 44

Financial crisis COVID-19 pandemic New Government

Answer 45

The organisations risk management context (relates to the Risk FW as a whole including RASP FW) the internal context the external context

Answer 46

Architecture (governance, reporting, operational structure, R&R's)

Answer 47

Structure, objectives, policies, strategies, processes, culture, and values of its people. The A in RASP

Answer 48

External Stakeholder expectations industry regulators behaviour of competitors general economic environment

Answer 49

What are our objectives what is our capacity what are our business processes how do we make decisions

Answer 50

What does the world look like around us what is driving our strategic direction

Answer 51

Extended Enterprise PESTLE Stakeholder Mapping Horizon Mapping

Answer 52

a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own.” 

Answer 53

1. Core activities of team, function, dept, project being considered 2. Key inputs to those core activities - what do you need to do 3. Key outputs from core activities - what is it that you deliver 4. The external influences that can affect those inputs, core activities and outputs.

Answer 54

Political ,Economic ,Social  Technological ,Legal ,Environmental (or Ethical Hopkin/Thompson)

Answer 55

Assessment of important/influence/attitude of Int/Ext stakeholders.

Answer 56

A technique looking at complexity, challenge assumptions and review multiple ways that events could unfurl, in order to increase the resilience and reliability of their organisations Can do 3 times looking at across the near, mid and long term.

Module 1 Unit 3 Risk Context, Obj and assessment Flashcards

Determine the significant risks of an organisation given its context and objectives.