Module 1 Unit 4 Managing, Monitoring and reporting risk Flashcards
Establish an organisational environment where risks are effectively managed, monitored, and reported on
What aspect of risk analysis and evaluation helps you identify our Target Risk
Risk Appetite - It tells us not only whether to treat a risk, but also when to stop treating it
Define Control
A measure that maintains and/or modifies risk with two additional notes
Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain and/or modify risk.
Controls may not always exert the intended or assumed modifying effect.
When would you consider using a benefit analysis in the risk process
When selecting the most appropriate options to manage the risks. Risks should not be managed at any cost.
What are the four response strategy types for RISKs- clue 4 T’s
Terminate - what can we do to get rid of the big risks
Treat - what can we do to change the size of the risk, mitigate or reduce the likelihood of the impact
Transfer - financially through insurance, or give to someone to manage through a contract. Quite often called Risk sharing as unlikely to be able to transfer all the risk.
Tolerate - can I accept the risk at that level or do I need to go through the thought processes first.
Usually tolerate if the risks perceived severity is less than the risk appetite.
What response strategy types for Opportunities - clue 4 E’s
Exit - we could exit as a growing business - i.e. let’s get out quickly, they can take all the risks and we will just take the money we have made now
Expand - or you might keep the business and expand those opportunities
Exploit - when the level of risk is lower, but you’ve still got that high reward to exploit the opportunities to make them bigger
Exist - continue to exist with those opportunities. if they arise I will take them, but I am not doing extra to gain them.
Controls - Explain Loss Prevention
Controls designed to stop a risk from occurring (managing the causes).
Controls - Explain Damage Limitation
Controls designed to reduce the size of the risk as soon as it has occurred (managing the impacts)
Controls - Explain Cost Containment
Controls designed to reduce the long-term effect of the risk, such as business continuity management
Controls - What is PCDD
Preventative
Corrective
Directive
Detective
Remember this is for risks only as you wouldn’t prevent or correct an opportunity
Preventive Controls
H&T suggest this is most important approach
If likelihood is low, it might not be cost effective to prevent a risk
Cost benefit analysis of any preventative control is vital
Preventative controls are effective before the risk occurs
Corrective Controls
Put in place if preventative controls are not feasible, desirable or cost effective
Also need cost benefit analysis
Need to be developed prior to risk occurring but become effective once a risk has occurred.
Directive controls
Most common type of control
Based on giving directions to another person or party on how they should behaviour
Therefore might not be very reliable.
On their own are not real controls
Detective Controls
these detect a control occurring such as a fire alarm, or detection for a project off track through an audit review.
Is preventative control a pre event manifestation or a post event
Pre event - an internal control that is used to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product.
Is a corrective control a pre event manifestation or a post event
Post event. designed to “remediate errors, omissions and unauthorised uses and intrusions once they are detected.
What’s the difference between a Anticipatory control and a Directive control
the difference between anticipatory and directive controls is that the latter are based on the broad organisation’s present day internal and external environment, while anticipatory controls anticipate changes to those environments and prepares an organisation for such changes.
What is an Anticipatory control
These controls are forward looking, similar to directive controls, but they tend to be more long term and strategic in nature; they are controls set in advance of possible future scenarios and their aim is to help the organisation to adapt itself effectively and in good time to those future scenarios, should they occur.
Give an example of a proactive control in a fraud risk
suitable vetting of individuals backgrounds at job interview stage
penalties that could be invoked on anyone found to be defrauding the company
Give an example of reactive controls
encouragement of confidential whistleblowing arrangements and fraud hotlines.
Media handling activities to mitigate any damage that might arise through reputation
