Module 1 - Unit 4 - Risk Assessment 1: Introduction and Identification Flashcards
What is the definition of risk assessment under BS 31100?
The overall process of risk identification, risk analysis and risk evaluation
What is the purpose of risk assessment?
The purpose of risk assessment is to identify the significant risks that could impact the selected feature (stakeholder expectations/business objectives, core processes/, or key dependencies)
Summarise each of the following:
Risk identification
Risk analysis
Risk evaluation
Risk identification: What might happen (the event)?
Risk analysis: How likely is it to happen? If it does, what might the impact be?
Risk evaluation: So what? Is it within our risk appetite and tolerance?
What is a benefit of measuring inherent risk level?
Enables the difference between the current level and the inherent level can be identified. This will give an indication of the importance of the existing control measures and the information is used by internal auditors to help identify critical controls and set audit priorities.
What are the four main risk assessment techniques?
- Checklists and questionnaires
- Workshops and brainstorming
- Inspections and audits; and
- Flowcharts and dependency analysis.
What are the advantages/disadvantages of top down risk assessment?
Advantages
- Likely to result in enterprise wide approach
- Most signifcant strategic risks for the organisation can be captured quickly
- Shows managment buy in
- Likely to encourage consistent methodology
Disadvantages
- Senior managers more focus on external risks
- Limited awareness of internal operational risks or interdependecies
- Danger that the approach becomes too superfical because sneior manager belive they can manage crises
- New risks emergin from the operational activities of the organisation might not be fully identified
-
What are the advantages/disadvantages of bottom up risk assessment?
Advantages
- Buy in at all levels
- Can be mirrored to an existing organisation chart and risk impacts beyond immediate operational risks can be discussed
- Operational staff have good awareness of local risks which may not be visible to senior management
- Methodology can be varied to suit norms and culture.
Disadvantages
- Little focus on external or strategic risks
- Time consuming and may demotivate
- Danger that the approach becomes too detailed leading to silo approach
- New risks emerging from the operational activities might not be reported by operational staff
Give the advantages and disadvantages of using questionnaires to undertake risk assessment.
Advantages
- Consistent structure guarantees consistency
- Greater involvement than in a workshop
Disadvantages
- Rigid approach may result in some risks being missed
- Questions will be based on
historical knowledge
Give the advantages and disadvantages of using workshops and brainstorming to undertake risk assessment.
Advantages:
- Consolidated opinions from all interested parties
- Greater interaction produces more ideas
Disadvantages
- Senior management tends to dominate
- Issues will be missed if incorrect people involved
Give the advantages and disadvantages of using inspections and audit to undertake risk assessment.
Advantages
- Physical evidence forms the basis of opinion
- Audit approach results in good structure
Disadvantages
- Inspections are most suitable for hazard risks
- Audit approach tends to focus on historical experience
Give the advantages and disadvantages of using Flow charts and dependency analysis to undertake risk assessment.
Advantages:
- Useful output that may be used elsewhere
- Analysis produces better understanding of processes
Disadvantages:
- Difficult to use for strategic risks
- May be very detailed and time-consuming
What are two qualitative risk analysis techniques?
SWOT is an analysis of the strengths, weaknesses, opportunities and threats faced by the organization.
PESTLE analysis that considers the political, economic, social, technological, legal and ethical (or environmental) risks faced by the organization
What are two quantitative risk analysis techniques?
Hazard and operability (HAZOP) studies
Failure modes effects analysis (FMEA)
What factors impact risk perception?
Familiarity – Less afraid with risks we are familiar with
Personal Control – More risk felt when we have less control E.g. car use vs. aviation despite statistics on accidents
Voluntary/involuntary – People who chose to take a risk less likely to be concerned versus those who have risk forced upon them
Dreaded vs. non dreaded – Less worried about trip slip or fall compared to fall from great height
Benefits – We may derive joy from the risk e.g. skydiving
What are two problems leading from differing risk perceptions during risk assessment?
- Organisations are likely to manage the same risks very inconsistently, depending on the individual who must manage that risk, thus increasing the overall organisational uncertainty.
- Risk managers could seek to achieve greater kudos among their stakeholders by focusing their efforts on helping to manage the stakeholders’ fears over what they perceive to be the most significant risks rather than what are actually the most significant risks.
