Module 1 Unit 3 Risk Context, Obj and assessment Flashcards
Determine the significant risks of an organisation given its context and objectives.
What are the three elements of context under ISO31000?
Risk management context
Internal context
External context
What is the risk management context ? Tip: Acronym
The risk architecture, strategy and protocols or risk management framework within the organisation.
What are the two functions of the the risk management context/Risk framework?
Provide support for the risk management process within the organisation
Ensure that the outputs from the risk management process are communicated to internal and external stakeholders
Explain Internal Context
The internal context includes the internal environment where an organization or team operates to achieve its objectives.
It encompasses governance, reporting arrangements, operational structure, roles, and responsibilities.
What elements make up the external context?
The social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment whether international, national, regional or local.
The industry, products, markets competitors, suppliers, customers, logistics and the regions and countries of operation
Key drivers and trends impacting on the objectives of the organisation
Relationships with and the perceptions and values of external stakeholders
Understanding the external environment can help answer questions such as:
* what does the world around us look like?
* What is driving our strategic direction?
What are the elements of a risk aware culture, LILAC?
Leadership
Involvement
Learning
Accountability
Communication
What are the elements of SMART.
Specific
Measurable
Achievable
Realistic and resourced
Time limited
What barriers exist to implementation of risk management?
Lack of understanding with a belief that it will suppress entrepreneurship.
Lack of support from senior management
Seen as just another initiative
Benefits not perceived as being significant
Not seen as core part of business activity and too time consuming
Approach too complicated and over analytical
Responsibilities unclear and need for external consultants unclear
Risks separated from where they arose and should be managed
Risk management seem as a static activity not appropriate for a dynamic organisation
Risk management too expansive and seeking to take over all aspects of the company
What are the features of an enterprise wide approach to risk management?
Encompasses all areas of organisational exposure to risk
Prioritises and manages those exposures as an interrelated risk portfolio
Evaluates the risk portfolio in the context of all significant internal and external contexts, systems, circumstances, and stakeholders
Recognises that individual risks across the organisation are interrelated and can create a combined exposure that differs from the sum of the individual risks
Provides a structured process for the management of all risks
Seeks to embed risk management as a component in all critical decisions throughout the organisation
Provides a means for the organisation to identify risks that it is willing to take in order to achieve strategic goals
Constructs a means of communicating risk issues, so that there is a common understanding of the risks faced by organisation and their importance
Supports the activities of internal audit by providing a structure for the provision of assurance to the board and audit committee
Views the effective management of risk as a competitive advantage that contributes to the achievement of business and strategic objectives.
How can an organisation assess the benefits of a fully implemented and effective ERM framework? AKA What are the outputs from ERM?
Mandatory obligations fulfilled
Assurance obtained
Decision making enhanced
Effective and efficient core processes
MADE2
NB an organisation can also assess the benefits of a fully implemented and effective ERM framework by way of a process called FIRM.
What are the benefits of ERM?
Achievement of goals under the FIRM scorecard.
What are the COSO (2017) components?
Governance and culture
Strategy and objective setting
Performance
Review and revision
Information, communication, and reporting
What factors can impact the implementation of a fully functioning ERM programme?
The start position - what is already in place that the enterprise can build on?
· The commitment from the “top” – the greater commitment and involvement of the “C” suite the more quickly the programme will be implemented and embedded.
· The size and complexity of the enterprise.
· The extent to which the enterprise is a global actor
· The resources available to support implementation
Why is setting business objectives difficult and potentially a source of risk?
-
Balancing Objectives and Stakeholder Expectations:
- Agreeing on a strategic mission is easier than choosing suitable objectives.
- Objectives must balance conflicting stakeholder expectations, leading to compromises or conflicts.
-
Continuous Re-evaluation:
- Strategies and objectives need constant questioning due to changing internal and external contexts.
- A sensible mission today could become obsolete tomorrow.
-
Clarity and Communication:
- An unclear or inappropriate mission can lead to misinterpretation and disorganisation.
- The mission must be understood at all levels and effectively cascaded into tactical and operational objectives.
-
Acceptance of Objectives:
- Objectives must be fully accepted by those responsible for delivering them.
- Risks arise if formal objectives differ from informal objectives.
-
Setting Realistic Objectives:
- Easy-to-achieve objectives reduce short-term risk but may increase long-term exposure if over-ambitious objectives are set.
Why does COSO 2004 AND 2017 consider objective setting so important
CUBE 2004 which has objective setting in the second row after the internal environment.
The text states that ‘the board should set objectives that support the mission of the organization that are consistent with its RISK APPETITE.’ If the board is to set objectives effectively, it needs to be aware of the risks arising if DIFFERENT objectives are pursued.
2017 - Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s MISSION and are consistent with its RISK APPETITE.’ It further states that ‘There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them’.
How do you set strategy and objectives in standards. Note a RM standard provides FW and guidance for risk process.
ISO 31000 outlines principles and guidelines for a systematic approach to risk management, applicable to any organization, regardless of size or industry
Develop a Consistent Mission
Develop suitable objectives
Build Strategy in line with Risk Appetite using context of the org at that point in time (remember context will change over time, so strategy will need updating app intervals, and so should ERM approach)
Implement strategy - culture of org may read the mission differently to others
Strategy to be accepted by everyone
What are the 3 levels of objective setting and timings
Organisational, divisional and team or individual level.
Strategic 1-3 years
Tactical - typically annually
Operational - 1 year or less
Why is it important to be able to measure objectives
So you can see if its been achieved - measure its realisation.
Quantitively or qualitative depended on measurement
What is clawback
Allows an org to recover some element of paid bonuses should outcomes change over longer term. i.e. when staff are rewarded for achieving their objs meaning they take more risk (aggressive selling tactics of banks)
How does ERM enhance strategy selection
Choosing a strategy calls for structured decision-making that analyses risk and aligns resources with the MISSION AND VISION of the organization
What is risk criteria
Criteria measures how much risk matter to an org in relation to its ability to achieve its objs - links to risk analysis, evaluation and appetite
What is a KPI
Key Performance Indicator - critical indicators of progress toward an intended result.
KPIs provide:
Focus for Strategic and Operational improvement
Analytical basis for decision making
focus on what matters most to org
Drucker: WHAT GETS MEASURED GETS DONE
What is the role of KPIs
To measure performance at Strategic, Tactical and Operational levels
What can key indicators be used to measure
Can be used to measure IMPACT Categories (FIRM) used in analysis
So rather than define new metrics for RM, most of these already exist.
How can org objectives be used to develop risk metrics
Org objectives are the things that matter most to the org, so developing risk metrics using IMPACT categories is important
i.e. People Objective - ensure sufficient personnel with necessary SQEP and motivation to do their jobs.
KPI is monitor and measure military inflow and outflow rate.
SR is As a result of inability to recruit enough people to meet req, and numbers leaving, TIART Org will not attract recruit, train and retain or have resilience req. to deliver RN outputs.
Mitigating activity is ‘Recruitment activity plan’, New recruitment process and a better end to end process.
What is the scope of ISO31000 (5 things)
Provides guidelines in managing risks customised to any org
Follows a common approach
Covers the entire lifecycle of organisational RM
Applied at all levels and functions
Decision making
What is the purpose of establishing the scope, context and criteria (ISO31000)
To customise the RM process and enable effective risk ASSESSMENT and appropriate risk TREATMENT
What should you consider when planning your approach to define the context (ISO31000)
Objectives and decisions that need to be made
Outcomes expected from the activities
Time, Location, specific inclusions and exclusions
Appropriate Risk Assessment tools and techniques
Resources required and Responsibilities and records to be kept
Relationships with other projects, processes and activities.
What is Risk CRITERIA or Risk Threshold
Organizations should define criteria to evaluate the significance of risk and support decision-making.
Risk criteria should consider uncertainties affecting outcomes and objectives, and how consequences and likelihood will be defined and measured.
What else should you consider when planning your approach to define the CONTEXT (ISO31000)
Need to define Internal and External environment in which you operate in
Should reflect specific environment to which the RM activities are to be applied
Sets structure and foundation for which Risk Assessment will be applied and ensures the reasons for this are clear
Provides backdrop against which risks can be identified and assessed
What should you consider when defining your risk CRITERIA (ISO31000)
Specify the amount and type of risk you may or may TAKE, RELATIVE TO YOUR OBJECTIVES
What other way can be described as Risk CRITERA
Risk Appetite - specifies a technique to determine the magnitude (using a risk matrix) of a risk, or a parameter (sets the conditions) related to risk, together with a limit beyond which risk becomes unacceptable.
A common technique to determine the magnitude of a risk and identify an unacceptable level is to use a risk matrix, which typically involves assessing both the likelihood of a risk occurring and the severity of its potential impact, often assigning numerical values to each factor and multiplying them together to calculate a “risk score” that indicates the overall magnitude; a predetermined threshold (Risk Appetite) on this risk score defines the point where a risk becomes unacceptable.
How could you determine the MAGNITUDE of a risk
use a risk matrix, which typically involves assessing both the likelihood of a risk occurring and the severity of its potential impact, often assigning numerical values to each factor and multiplying them together to calculate a “risk score” that indicates the overall magnitude
What should you take into account when EVALUATING the SIGNIFICANCE of a risk
When evaluating risks, you compare their size to certain criteria related to your goals/objectives.
This helps you decide which risks need attention based on their potential to affect your goals.
However, the size of the risk isn’t the only thing that matters. Other factors include sustainability, resilience, ethics, laws, how well controls work, what happens if controls fail, timing, costs, and what stakeholders think.
What should you consider when deciding against options when evaluating your risks(ISO31000)
Organisations often face decisions that affect multiple goals, with both potential risks and benefits.
To make these decisions, they need to meet certain criteria and balance competing objectives.
It’s important to identify relevant criteria and decide how to weight them or make trade-offs.
Different stakeholders might have different costs and benefits, so this should be considered.
Also, organizations need to decide how to handle uncertainties, which involves their attitude, appetite, and tolerance for risk.
What is Risk Attitude (ISO31000)
It is your approach to assess and eventually pursue, retain, take or turn away from risk
What is Risk Appetite (ISO31000)
It is the amount and type of risk that you are willing to pursue or retain to achieve your objectives and outcomes
What is Risk Tolerance (ISO31000)
It is your readiness to bear the risk after risk treatments are implemented to achieve your objectives and outcomes.
What is Balanced Score Card
KPIs that are tracked on a regular basis
Strategic Objectives, KPI, KPI target and projects that may move you towards achievement
You then do the same again for operational. So how do we achieve the DP, then CP, then individual directorate objectives with KPIs, Targets and the HOW we could do this to move towards achieving this objective. (projects)
What is an Extended Enterprise
The IRM define the extended enterprise as “a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own” within the timescale within which they wish to operate, with the skills available to them.
Explain Attachment of Risk
Key dependencies are the key things that the organisation needs to be successful; they might be internal or external things but in short, they are what the business depends upon for its future success.
Core processes are fundamental to organisational success because they are the means of delivery of strategy and continuity of operations. A core process can be defined as “the collection of activities that deliver a specific stakeholder expectation”.
Stakeholders are the groups of individuals who have a stake in the business, or are affected by what the organisation does – such as investors, suppliers, customers, the wider society and government.
What Risk analysis tool could you use to identify Attachment of Risk
SWOT and consider Dependencies, Core Processes and Stakeholders.
How does 31000 describe risk identification
ISO 31000 states that “the purpose of risk identification is to find, recognise and describe risks that might help or prevent an organisation achieving its objectives”.
How does the Orange book describe a CAUSE
A cause is an element which alone
or in combination has the potential
to give rise to risk
How does the Orange book describe an event
An event is an occurrence or change of a
set of circumstances and can be something
that is expected which does not happen
or something that is not expected which
does happen. Events can have multiple
causes and consequences and can affect
multiple objectives
How does the Orange book describe consequences
the consequences should the event happen
– consequences are the outcome of an event
affecting objectives, which can be certain
or uncertain, can have positive or negative
direct or indirect effects on objectives, can be
expressed qualitatively or quantitatively,
and can escalate through cascading and
cumulative effects
The causes and consequences of risk can also be illustrated using….
A bow Tie diagram
Centre of bow tie is the risk (Event)
left are the immediate and underlying threats or causes. To the right are the immediate and ultimate consequences.
How does using the Bow Tie diagram help the ERM approach
Because it requires us to look at the causes of the risks from all aspects of the enterprise (not just at one level) and similarly to map enterprise-wide consequences ( so several contributory causes for one risk)
Note that the risk bow-tie can be used for both threats and opportunities.
Name 5 risk techniques
Questionnaires and checklists
workshops and brainstorming
inspections and audits
flow charts and dependency analysis
crowdsourcing technology
Name two qualitative risk techniques that could be used at a risk assessment/evaluation workshop
SWOT and PESTLE
Name two quantitative assessment/evaluation techniques
Hazard and operability (HAZOP) and Failure modes effects analysis (FMEA)
Name four definitions of likelihood
Unlikely, Possible, Likely and Almost Certain ( four stops people choosing the middle option)
Name four definitions of impact
Small, moderate, severe, catastrophic ( hospital example)
Define an Emerging Risk
Those which you know little about when they are recognised.
A risk that is evolving in areas and ways where the body of available knowledge is weak.
Differences between emerging risks and BAU Risks: being ambiguous, chaotic, complex, time-horizon can change, uncertain, uncontrollable, and volatile.
Explain a compliance risk
Adherence to the law and regulations
Captures legal and financial penalties for failing to act
Represents a licence to operate
Explain a hazard risk
Undermines objectives in a negative way.
Most commons associated with operational risks inc H&S programmes
Example is theft
What is 31000 definition of Risk Analysis
ISO 31000 (2018) states:
‘The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk.’
They follow this up with a note to the effect that ‘…risk analysis provides an input into risk evaluation, to decisions on whether risk needs to be treated and how.’
What’s the difference between analysing and evaluating risks
Analysing Risks:
* Involves understanding the nature, sources, and potential impacts of identified risks.
* Focuses on determining the likelihood and consequences of risks.
* Uses qualitative and quantitative methods to assess risk characteristics.
Evaluating Risks:
* Involves comparing the results of risk analysis against risk criteria to determine their significance.
* Helps prioritize risks based on their potential impact and likelihood.
* Aims to decide which risks need treatment and the best ways to manage them.
In short, analysing risks is about understanding them, while evaluating risks is about deciding what to do about them.
What are the ways you could determine the importance of your risks using ANALYSIS (HELP YOU UNDERSTAND THE NATURE, SOURCES AND POTENTIAL IMPACTS OF YOUR RISKS)
Looking at past records.
Looking at personal relevant experience (and intuition).
Looking at industry-relevant experience of the risk.
Looking at published literature on the risk.
Doing some testing or experiments (e.g., market research).
Using economic or statistical models to make forecasts.
Using experts in the area of that risk to make judgments.
These activities help you understand the nature, sources, and potential impacts of risks.
What are the ways you could rate the importance of your risks using EVALUATION (DECIDING WHAT TO DO ABOUT THEM)
Comparing the risks based on potential impact to your objectives.
Comparing the potential likelihood of happening.
Comparing relative velocity.
Comparing relative vulnerability of different parts of the organization the risks are linked to.
Comparing relative exposure of different parts of the organization the risks are linked to.
Considering proximity.
Assessing the level of action or control needed to manage the risks to a desired (target) state.
Comparing the relative difficulty of managing those risks.
Considering the relative influence of a single risk on other risks (dependency/cascade factor).
These activities help you prioritize and decide which risks need treatment and how to manage them.
What are the 3 steps to a simple value chain (Extended Enterprise)
Three steps to give a simple value chain for an org.
1. Core activities of team, function, department, project or org - what is it that you do 2. The key inputs to those activities - what do you need in order to do what you do 3. The key outputs from those core activities - what is it that you deliver from those core activities
How many risk CATEGORIES does the Orange book have
13, Strategy, Governance, Operations, Legal, Property, Financial, Commercial, People, Technology, Information, Security, Proj/Prog and Reputational.
What is PESTLE and when would you use it
Political, Economic, Social, Technological, Legal, Environmental (PESTLE)
To identify INTERNAL/EXTERNAL Context
Mendelow’s Stakeholder matrix has four boxes. What are they
Top left - Keep Satisfied, Top right - Actively Engage and Manage, Bottom Left - Minimal Effort and Bottom Right - Keep Informed.
Stakeholder expectations are delivered by what core processes - Tip Acronym
STOC
What is Horizon scanning
Exploration of what the future might look like to understand uncertainties better and to analyse whether the organisation is adequately prepared for potential opportunities and threats”.
It is not about trying to predict the future but rather to review options so that evidence-based decisions can be made”.
Explain SMART
SPECIFIC – be specific about what you want to accomplish
MEASUREABLE – define the metrics that determine if you meet the goal
ACHIEVEABLE – do you have the tools/skills needed, if not what action
RELEVANT – ensure the objective is aligned to the business strategy
TIME-BOUND – provide a realistic target date for delivery.
Why is Risk Criteria important
Risk criteria measure how much risks matter to an organization in relation to its ability to achieve objectives.
This links to risk analysis, risk evaluation, and risk appetite.
What are the components of Internal Context
Structure and Processes: Divisions, departments, structures, systems, processes, and accountability.
Culture and Leadership: Organizational culture, leadership, strengths, and weaknesses.
Internal Stakeholders: Staff, managers, and the board.
Corporate Governance: Approach to governance, resources, competencies, capabilities, and conduct.
Objective Setting: Factors influencing how objectives are set and achieved.
What questions can be answered by addressing the Internal Context
What are our objectives?
What is our capacity?
What are our business processes?
How do we make decisions?
Explain External Context
The external context includes the external environment where an organisation operates, affecting its ability to achieve objectives
What components make up the External Context
Stakeholder Expectations: External stakeholder expectations, industry regulators, competitor behavior, and the general economic environment.
Environmental Factors: Social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environments at various levels (international, national, regional, local).
Industry and Market: Industry, products, markets, competitors, suppliers, customers, logistics, and regions/countries of operation.
Key Drivers and Trends: Factors impacting organizational objectives.
External Relationships: Relationships with, and perceptions and values of, external stakeholders.
What questions are answered by addressing the External Context
What does the world around us look like?
What is driving our strategic direction?
What is the impact of changes in External Context
Changes can have a significant impact on organizations, as seen with the global financial crisis and the COVID-19 pandemic.
Events do not have to be global to impact organizations, industries, and countries.
