Module 1 - Unit 4 (RA1 - Introduction & Identification)

Question 1

According to ISO 31000, define ‘risk identification’.

Answer 1

Risk identification is the process of finding, recognising, and describing risks.

Question 2

List three aims of risk identification.

Answer 2

1. To generate a comprehensive list of risks.
2. To ensure risks are managed, even subconsciously.
3. To identify not just individual risks, but key dependencies also.

Question 3

List three advantages and disadvantages of a top-down risk assessment.

Answer 3

Top-down (Board of directors/CEO)

Advantages:
• Enterprise-wide approach
• Most significant strategic risks captured quickly
• Shows management buy-in from the top, so more acceptance at all levels.
• Tone from the top, more consistent methodology throughout.
• Identify operational risks to achieving objectives

Disadvantages:
• More focus on external risks
• Limited awareness of internal operational risks and interdependencies
• Approach seen as superficial
• Emerging operational risks not fully identified

Question 4

List three advantages and disadvantages of a bottom-up risk assessment

Answer 4

Bottom-up (local departments)

Advantages:
• Significant buy-in at all levels
• Mirrored to organisation chart and risk impacts beyond immediate operational risks discussed
• Greater awareness of operational and local risks
• Methodology tailored to local norms and culture, which is useful for a multinational organisation

Disadvantages:
• Little focus on external and strategic risks
• Time consuming to develop and enterprise approach, demotivate.
• Process can become too blinkered - silos
• New risks might not be reported by operational staff

Question 5

List four common risk assessment techniques.

Answer 5

• Questionnaires and checklists
• Workshops and brainstorming
• Inspections and audits
• Flow charts and dependency analysis

Question 6

Describe what is meant by ‘questionnaires and checklists’ and state two advantages and disadvantages of this risk assessment technique.

Answer 6

Questionnaires and checklists:
• Structured - to collect information that will assist with the recognition of significant risks

Advantages:
• Consistent structure and guarantees consistency
• Greater involvement than a workshop

Disadvantages:
• Rigid approach that may miss some risks.
• Questions are based on historical knowledge.

Question 7

Describe what is meant by ‘workshops and brainstorming’ and state two advantages and disadvantages of this risk assessment technique.

Answer 7

Workshops and brainstorming:
• Collection and sharing of ideas to discuss the events that could impact the objectives, core processes, or key dependencies.

Advantages:
• Consolidated opinion from all interested parties
• Greater interaction = more ideas

Disadvantages:
• Dominated by senior management
• Risks missed if incorrect people

Question 8

Describe what is meant by ‘inspections and audits’ and state two advantages and disadvantages of this risk assessment technique.

Answer 8

Inspections and audits:
• Physical inspections of premises and activities, and audits of compliance with established systems and procedures.

Advantages:
• Physical evidence forms basics of opinion
• Audit approach results in good structure

Disadvantages:
• Inspections and more suited to hazard risks
• Audit approaches focuses on historical experience

Question 9

Describe what is meant by ‘Flow charts and dependency analysis’ and state two advantages and disadvantages of this risk assessment technique.

Answer 9

Flow charts and dependency analysis:
• Analysis of processes and operations to identify key critical components

Advantages:
• Output may be useful elsewhere
• Better understanding of process achieved

Disadvantages:
• Not well suited for identifying strategic risk
• Time consuming and detailed

Question 10

Provide two examples of quantitative and qualitative risk assessment workshop - brainstorming techniques

Answer 10

Qualitative:
• SWOT (Strengths, Weaknesses, Opportunities, and Threats)
• PESTLE (Political, Economic, Social, Technological, Legal, and Ethical)

Quantitative:
• HAZOP (Hazard and Opportunity)
• FMEA (Failure Mode Effects Analysis)

Question 11

State one consequence of people undertaking risk assessments having different risk perceptions.

Answer 11

1. Risk treatments are applied to less significant risks.
2. Organisations are likely to manage the same risks very inconsistently, depending on the individual who must manage that risks, thus increasing the overall organisational uncertainty.

Question 12

Which factors are likely to influence your view when assigning a low, medium, or high rating for the likelihood and impact of an interruption to production due to a natural disaster:

1. The length and time since the last natural disaster in the vicinity of the production unit.
2. Where your suppliers are located
3. Long range models and stress scenarios
4. What you produce.

Answer 12

2. Where your suppliers are located

4. What you produce

Question 13

Relying on historical analysis when assessing potential risks and possible impacts implies that..

Answer 13

..management believe that the future will behave much like the past.

Question 14

What are the 4C’s in relation to attitude to risk?

Answer 14

1. Comfort
2. Cautious
3. Concerned
4. Critical

Question 15

Draw a risk matrix for a risk averse organisation (risk attitude), which details the risk appetite, exposure, and capacity
(Optimal)

Answer 15

See Figure 25.1 ‘Risk appetite, exposure and capacity (Optimal)’ Hopkin (2018)

• Risk capacity is higher than both the risk appetite and the risk exposure = represent an optimal state of affairs.
• This ensures that the organisation is taking risks that are within the appetite of the board and not exceeding the ultimate risk capacity.
• Lower risk appetite = more risk adverse attitude to risk = greater risks in the critical zone.

Question 16

Draw a risk matrix for a risk aggressive organisation (risk attitude), which details the risk appetite, exposure, and capacity
(Vulnerable)

Answer 16

See Figure 25.3 ‘Risk appetite, exposure and capacity (vulnerable)’ Hopkin (2018)

• Very limited universe of risk (represented by the darkest squares) = It is only in this area that the board of the organisation will consider that the risks are significant.
• Greater risk appetite = more aggressive attitude to risk = fewer risks in the critical zone
• Ultimate risk capacity is lower than the actual risk exposure = organisation may be taking risks that are beyond the ultimate risk capacity of the organisation.

Question 17

Describe the difference between ‘risk appetite’ and ‘risk attitude’ of an organisation.

Answer 17

Risk appetite is the more immediate need to take risk in order to achieve objectives.

Whereas, risk attitude describes the long-term approach of the organisation to risk.

Question 18

Provide an example of a good risk description.

Answer 18

EXAMPLE 1:

CAUSES
• Due to job dissatisfaction, lack of training or development opportunities, and uncompetitive salaries

RISK
• Increased staff turnover in the IT services department may occur

CONSEQUENCES/IMPACT
• which would lead to loss of valuable IT knowledge, poorer response to IT queries, and lack of technological development in IT

EXAMPLE 2:

CAUSES
• As a result of lack of awareness of the specific provisions, lack of a compliance checklist or register, and lack of funds to develop an acceptable framework of financial controls

RISK
• Failure to comply with a key section of the Sarbanes-Oxley Act 2002 may occur

CONSEQUENCES/IMPACT
• which would lead to adverse publicity, specific criminal and financial penalties for senior staff, large fines on the business, and loss of shareholder value

Question 19

Using the FIRM risk scorecard, which of the following risks could a manager quantify?

1. Loss of income
2. Financial gain
3. Reputational damage

Answer 19

1. Loss of income

2. Financial gain

Question 20

Identify a risk management tool that can be used to categorise, and thus provide some order, to all of these changes in the organisation’s external context.

Also, list the component elements of that risk management tool.

Answer 20

PESTLE

• Political
• Economic
• Social
• Technological
• Legal
• Environmental (or ethical)

Question 21

Describe the six components of the PESTLE risk classification system and state what type of risk this tool is best used for analysing.

Answer 21

PESTLE - this tool is best for analysing external risks, the external risk environment, and strategic risks.

POLITICAL
• Tax policy, employment laws, environmental regulations, trade restrictions, tariffs and political stability.

ECONOMIC
• Economic growth/decline, interest rates, exchange rates and inflation rates, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living

SOCIOLOGICAL
• Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming

TECHNOLOGICAL
• Technology changes that impact your products or services, new technologies, barriers to entry given markets, financial decisions like outsourcing your supply chain

LEGAL
• Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation

ETHICAL or ENVIRONMENTAL
• Ethical and environmental aspects, although many of these factors will be economic or social in nature

Question 22

State three advantages and disadvantages of using PESTLE risk classification system for analysing risks.

Answer 22

ADVANTAGES
• Simple framework
• Provides a clear analysis of the issues that should be addressed within the external context
• Facilitates understanding of the wider business environment
• Encourages external and strategic thinking
• Anticipates future business threats, and business opportunities

DISADVANTAGES
• Over-simplification
• Needs to be regularly repeated
• Different people and perspectives required
• Expensive to access external date and time-consuming
• Often based on assumptions
• Risks of capturing too much data makes it difficult to see priorities