Module 1 - Unit 4 (RA1 - Introduction & Identification) Flashcards
According to ISO 31000, define ‘risk identification’.
Risk identification is the process of finding, recognising, and describing risks.
List three aims of risk identification.
- To generate a comprehensive list of risks.
- To ensure risks are managed, even subconsciously.
- To identify not just individual risks, but key dependencies also.
List three advantages and disadvantages of a top-down risk assessment.
Top-down (Board of directors/CEO)
Advantages:
• Enterprise-wide approach
• Most significant strategic risks captured quickly
• Shows management buy-in from the top, so more acceptance at all levels.
• Tone from the top, more consistent methodology throughout.
• Identify operational risks to achieving objectives
Disadvantages:
• More focus on external risks
• Limited awareness of internal operational risks and interdependencies
• Approach seen as superficial
• Emerging operational risks not fully identified
List three advantages and disadvantages of a bottom-up risk assessment
Bottom-up (local departments)
Advantages:
• Significant buy-in at all levels
• Mirrored to organisation chart and risk impacts beyond immediate operational risks discussed
• Greater awareness of operational and local risks
• Methodology tailored to local norms and culture, which is useful for a multinational organisation
Disadvantages:
• Little focus on external and strategic risks
• Time consuming to develop and enterprise approach, demotivate.
• Process can become too blinkered - silos
• New risks might not be reported by operational staff
List four common risk assessment techniques.
- Questionnaires and checklists
- Workshops and brainstorming
- Inspections and audits
- Flow charts and dependency analysis
Describe what is meant by ‘questionnaires and checklists’ and state two advantages and disadvantages of this risk assessment technique.
Questionnaires and checklists:
• Structured - to collect information that will assist with the recognition of significant risks
Advantages:
• Consistent structure and guarantees consistency
• Greater involvement than a workshop
Disadvantages:
• Rigid approach that may miss some risks.
• Questions are based on historical knowledge.
Describe what is meant by ‘workshops and brainstorming’ and state two advantages and disadvantages of this risk assessment technique.
Workshops and brainstorming:
• Collection and sharing of ideas to discuss the events that could impact the objectives, core processes, or key dependencies.
Advantages:
• Consolidated opinion from all interested parties
• Greater interaction = more ideas
Disadvantages:
• Dominated by senior management
• Risks missed if incorrect people
Describe what is meant by ‘inspections and audits’ and state two advantages and disadvantages of this risk assessment technique.
Inspections and audits:
• Physical inspections of premises and activities, and audits of compliance with established systems and procedures.
Advantages:
• Physical evidence forms basics of opinion
• Audit approach results in good structure
Disadvantages:
• Inspections and more suited to hazard risks
• Audit approaches focuses on historical experience
Describe what is meant by ‘Flow charts and dependency analysis’ and state two advantages and disadvantages of this risk assessment technique.
Flow charts and dependency analysis:
• Analysis of processes and operations to identify key critical components
Advantages:
• Output may be useful elsewhere
• Better understanding of process achieved
Disadvantages:
• Not well suited for identifying strategic risk
• Time consuming and detailed
Provide two examples of quantitative and qualitative risk assessment workshop - brainstorming techniques
Qualitative:
• SWOT (Strengths, Weaknesses, Opportunities, and Threats)
• PESTLE (Political, Economic, Social, Technological, Legal, and Ethical)
Quantitative:
• HAZOP (Hazard and Opportunity)
• FMEA (Failure Mode Effects Analysis)
State one consequence of people undertaking risk assessments having different risk perceptions.
- Risk treatments are applied to less significant risks.
- Organisations are likely to manage the same risks very inconsistently, depending on the individual who must manage that risks, thus increasing the overall organisational uncertainty.
Which factors are likely to influence your view when assigning a low, medium, or high rating for the likelihood and impact of an interruption to production due to a natural disaster:
- The length and time since the last natural disaster in the vicinity of the production unit.
- Where your suppliers are located
- Long range models and stress scenarios
- What you produce.
- Where your suppliers are located
4. What you produce
Relying on historical analysis when assessing potential risks and possible impacts implies that..
..management believe that the future will behave much like the past.
What are the 4C’s in relation to attitude to risk?
- Comfort
- Cautious
- Concerned
- Critical
Draw a risk matrix for a risk averse organisation (risk attitude), which details the risk appetite, exposure, and capacity
(Optimal)
See Figure 25.1 ‘Risk appetite, exposure and capacity (Optimal)’ Hopkin (2018)
- Risk capacity is higher than both the risk appetite and the risk exposure = represent an optimal state of affairs.
- This ensures that the organisation is taking risks that are within the appetite of the board and not exceeding the ultimate risk capacity.
- Lower risk appetite = more risk adverse attitude to risk = greater risks in the critical zone.
Draw a risk matrix for a risk aggressive organisation (risk attitude), which details the risk appetite, exposure, and capacity
(Vulnerable)
See Figure 25.3 ‘Risk appetite, exposure and capacity (vulnerable)’ Hopkin (2018)
- Very limited universe of risk (represented by the darkest squares) = It is only in this area that the board of the organisation will consider that the risks are significant.
- Greater risk appetite = more aggressive attitude to risk = fewer risks in the critical zone
- Ultimate risk capacity is lower than the actual risk exposure = organisation may be taking risks that are beyond the ultimate risk capacity of the organisation.
Describe the difference between ‘risk appetite’ and ‘risk attitude’ of an organisation.
Risk appetite is the more immediate need to take risk in order to achieve objectives.
Whereas, risk attitude describes the long-term approach of the organisation to risk.
Provide an example of a good risk description.
EXAMPLE 1:
CAUSES
• Due to job dissatisfaction, lack of training or development opportunities, and uncompetitive salaries
RISK
• Increased staff turnover in the IT services department may occur
CONSEQUENCES/IMPACT
• which would lead to loss of valuable IT knowledge, poorer response to IT queries, and lack of technological development in IT
EXAMPLE 2:
CAUSES
• As a result of lack of awareness of the specific provisions, lack of a compliance checklist or register, and lack of funds to develop an acceptable framework of financial controls
RISK
• Failure to comply with a key section of the Sarbanes-Oxley Act 2002 may occur
CONSEQUENCES/IMPACT
• which would lead to adverse publicity, specific criminal and financial penalties for senior staff, large fines on the business, and loss of shareholder value
Using the FIRM risk scorecard, which of the following risks could a manager quantify?
- Loss of income
- Financial gain
- Reputational damage
- Loss of income
2. Financial gain
Identify a risk management tool that can be used to categorise, and thus provide some order, to all of these changes in the organisation’s external context.
Also, list the component elements of that risk management tool.
PESTLE
- Political
- Economic
- Social
- Technological
- Legal
- Environmental (or ethical)
Describe the six components of the PESTLE risk classification system and state what type of risk this tool is best used for analysing.
PESTLE - this tool is best for analysing external risks, the external risk environment, and strategic risks.
POLITICAL
• Tax policy, employment laws, environmental regulations, trade restrictions, tariffs and political stability.
ECONOMIC
• Economic growth/decline, interest rates, exchange rates and inflation rates, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living
SOCIOLOGICAL
• Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming
TECHNOLOGICAL
• Technology changes that impact your products or services, new technologies, barriers to entry given markets, financial decisions like outsourcing your supply chain
LEGAL
• Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation
ETHICAL or ENVIRONMENTAL
• Ethical and environmental aspects, although many of these factors will be economic or social in nature
State three advantages and disadvantages of using PESTLE risk classification system for analysing risks.
ADVANTAGES
• Simple framework
• Provides a clear analysis of the issues that should be addressed within the external context
• Facilitates understanding of the wider business environment
• Encourages external and strategic thinking
• Anticipates future business threats, and business opportunities
DISADVANTAGES
• Over-simplification
• Needs to be regularly repeated
• Different people and perspectives required
• Expensive to access external date and time-consuming
• Often based on assumptions
• Risks of capturing too much data makes it difficult to see priorities