Module 1 - Unit 6 - Risk Response and Risk Treatment

Question 1

Why is it useful to consider inherent risk as well as residual risk?

Answer 1

• Considering the inherent level will enable the effect of individual control measures to be identified.

Question 2

What are the three levels of risk in a risk matrice?

Answer 2

• Inherent
• Current (often referred to as residual but this implies risk is static which is misleading)
• Target

Question 3

What are the four T’s? Explain each one.

Answer 3

An organisation will normally tolerate a hazard risk if the risk’s perceived severity is less than the risk appetite. Clearly, an organisation will tend to tolerate low severity risks. However, it may tolerate some high-severity risks – for example, where it has failed to identify risks or has under- estimated the severity of the risk.

An organisation can treat a risk by retaining it in the organisation and taking action to modify its severity, likelihood or impact. You will also see that the most common approach to respond to risks is through the ‘treat’ option

An organisation may try to transfer risk exposure to a third party, such as an insurance company. In practice though it is very unlikely an organisation can fully transfer a risk and for that reason the term ‘risk sharing’ is often used. Other examples of risk transfer include joint ventures, outsourcing and risk financing. These are areas that you will study in later modules.

To terminate a risk an organisation will often need to terminate the activity which is associated with the risk. Termination is something that organisations usually undertake reluctantly and because the residual severity of the risk is simply too high after the organisation has considered all other possible cost-effective responses (from transfer or treat).

Question 4

What is the distinction between impact and magnitude?

Answer 4

We can say that impact is a risk analysis measure at the residual risk level, whereas magnitude is a risk analysis measure at the inherent risk level.

Question 5

Using the FIRM score card what are some example dependencies and significant risks under the Financial heading?

Answer 5

Dependencies

Availability of funds
Correct allocation of funds
Internal control
Liabilities under control

Risks

Insufficient funds available from parent company
Inadequate profit because of incorrect capital expenditure decisions
Fraud occurs because of inadequate
Higher than expected liabilities arise in the pension fund

Question 6

Using the FIRM score card what are some example dependencies and significant risks under the Infrastructure heading?

Answer 6

Dependencies

People
Premises
Products
Processes

Risks

Failure to achieve/maintain health and safety standards
Damage to key location caused by insured peril
IT control systems not available because of virus or hacker activity
Disruption because of failure of supplier

Question 7

Using the FIRM score card what are some example dependencies and significant risks under the Reputation heading?

Answer 7

Dependencies

Reputational Brand
Public opinion
Regulators
CSR

Risks

Product recall causes damage to product image and brand
Lost sales or revenue because of change in public tastes
Regulator enforcement action causes loss of public confidence
Allegations of unethical productsourcing causes loss of sales

Question 8

Using the FIRM score card what are some example dependencies and significant risks under the Marketplace heading?

Answer 8

Dependencies

Regulatory environment
Economic health
Product development
Competitor behaviour

Risk

Change in tax regime results in unbudgeted tax demands
Decline in world or national economy reduces consumer spending
Changes in technology reduce product appeal and sales
Competitor substantially reduces prices to win market share

Question 9

What are the 4Es of opportunity management? What might be considered the 5th ‘E’?

Answer 9

Explore
Exit
Exploit
Exist

Expand may be considered an alternitve to Exit if circumstances permit.

Question 10

What are the four risk responses categories?

Answer 10

Control theory describes a hierarchy of risk responses as preventive, corrective, directive and detective (abbreviated as ‘PCDD’).

Question 11

Give examples of preventative controls.

Answer 11

Examples of preventative controls include policies, standards, processes, procedures, encryption, firewalls, and physical barriers. Pre event.

Elimination or removal of the source of the hazard
Substitution of the hazard with something less risky
Passwords or other access controls
Limits of authorization and separation of duties
Pre-employment screening of potential staff

Question 12

Give examples of corrective controls

Answer 12

Corrective Control – designed to “remediate errors, omissions and unauthorised uses and intrusions once they are detected. Post event.

Engineering containment using barriers or guards
Exposure reduction by job rotation or limitation on hours worked
Staff rotation and regular change of supervisors

Question 13

Give examples of Directive controls

Answer 13

Pre event actions

Training and supervision to enforce procedures
Personal protective equipment and improved welfare facilities
Accessible, detailed, written systems and procedures
Training to ensure understanding of procedures

Question 14

Give examples of Detective controls

Answer 14

Post event manifestation.

Health monitoring to enquire about potential symptoms
Health surveillance to find early symptoms
Reconciliation, audit and review by internal audit
Whistleblowing policy to report (alleged) fraud

Question 15

What are the advantages and disadvantages of Preventative controls?

Answer 15

• Advantage – Eliminates the hazard, so that no further consideration of it is required. In reality, this may not be a cost-effective option
• Disadvantage – May not be possible for operational reasons.
• Disadvantage – Beneficial activities may be eliminated and either outsourced or replaced with something less effective and efficient.

Question 16

What are the advantages and disadvantages of Corrective controls?

Answer 16

• Advantage – Can be simple and cost effective.
• Advantage – Do not require that existing practices and procedures are eliminated or replaced with alternative methods of work.
• Disadvantage – The marginal benefits that are achieved may be difficult to quantify or confirm as cost-effective.
• Disadvantage – May be over-engineered and their cost is disproportionate to the benefit that is achieved.
• Disadvantage – can introduce costs and inefficiency, particularly if required by regulation.

Question 17

What are the advantages and disadvantages of Directive controls?

Answer 17

• Advantage – Risk control requirements can be explained during a normal training and instruction session provided for staff.
• Disadvantage – Represent a low level of control that may require constant supervision in order to ensure that the correct procedures are being followed.
• Disadvantage – If not implemented in practice the organization will be more exposed to allegations of poor risk control.

Question 18

What are the advantages and disadvantages of Detective controls?

Answer 18

• Advantage – Often simple to administer.
• Disadvantage – The risk will already have materialized before it is detected (though this may help reduce impact e.g. early discovery of a fraud or heath condition via Occupational Health monitoring)

Question 19

Give examples of risk arising under each heading of FIRM

Answer 19

• Financial – fraud and historical liabilities such as disease exposure or pension liabilities.
• Infrastructure – Health and safety, property fire protection, IT security, HR risks
• Reputation – Brand protection and environment
• Market – Technology developments and regulatory risks

Question 20

What are the benefits of reviewing near misses?

Answer 20

By reviewing the near-miss event we can understand better:
• Why it occurred.
• Whether we had previously identified it as a possible risk.
• Why it did not have a big impact.
• Whether we had correctly analysed its likelihood and impact.

Question 21

What are the advantages and disadvantages of insurance?

Answer 21

Advantages of insurance
• It provides indemnity against an expected loss.
• Insurance can reduce uncertainty regarding hazard events that may occur.
• It can provide economic benefits to the insured, because the loss may be greater than the insurance premium.
• Insurance can provide access to specialist services as part of the insurance premium. These services may include advice on loss control.
Disadvantages of insurance
• Delays often experienced in obtaining settlement of an insurance claim and the difficulties that can arise in quantifying the financial costs associated with the loss.
• Disputes regarding the extent of the cover that has been purchased and the exact terms and conditions of the insurance contract.
• Difficulty in deciding the limit of indemnity that is appropriate for liability exposures. This may result in under-insurance and the subsequent failure to have claims paid in full.

Question 22

What are the three main classes of insurance? Give examples.

Answer 22

1. Mandatory, legal and contractual obligations

Employers’ liability – compensation to employees injured at work
Public liability – compensation to public or customers
Motor third party – compensation following motor accident
Product liability – compensation for damage or injury
Professional indemnity – compensation to client for negligent advice

2. Balance sheet/profit and loss protection

Business premises – damage to premises by adverse events
Business interruption – loss of profit and increased cost of working
Asset protection – losses, such as loss of cash, goods in transit, credit risk and fidelity guarantee (staff dishonesty)
Motor accidental damage – repair of own vehicles
Terrorism – compensation for damage caused by terrorism
Loss of a key person – compensation on loss of key staff member

3. Employee benefit/protection of employee assets

Life and health – benefits to employees that can include: life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses
Directors’ and officers’ liability – legal and compensation costs

Question 23

What are the 6 C’s of insuracne buying?

Answer 23

Cost - cost of insurance is defined by the insurance premium that is required from the organization. A second component of the cost is the level of self-insurance.

Coverage - Insurance policies usually have limitations, warranties and exclusions

Capacity - one insurance company on its own may not be willing to offer coverage up to the full value of the organisation’s assets.

Capabilities - Many insurance companies offer services in addition to insurance. These may include loss control services and assistance with business continuity planning. This also includes the need for buyers of insurance to pay greater attention to the financial status or credit rating awarded to individual insurance companies.

Claims - The handling of insurance claims can be a detailed and forensic exercise. Sometimes claims handling involves complex legal procedures involving specialist engineers and accountants.

Compliance – Payment of IPT, provision of insurance documents in a timely manner, and whether the insurer is admitted in the organisation’s territories.

Question 24

What is a captive insurance company?

Answer 24

A captive insurance company is an insurance company owned by an organization that is not otherwise involved in insurance.

Question 25

What are the advantages of a captive insurance company?

Answer 25

The advantages of captive insurance companies are as follows:
• Savings may be achieved in overall insurance costs because lower premiums are often set by captive insurance companies.
• The captive insurance company can gain access to reinsurance markets, where premium rates and risk capacity can be favourable.
• By being exposed to the cost of insurance claims, a greater risk awareness and greater concern about loss control can be achieved.
• Greater insurance cover can be offered by the captive insurance company than is available in the commercial market.
• Certain tax benefits may be available from having a captive insurance company, although these have reduced in recent times.

Question 26

What are the disadvantages of a captive insurance company?

Answer 26

The disadvantages of captive insurance companies are as follows:
• The captive will be exposed to insurance claims that would otherwise have been paid by the commercial insurance market.
• The parent organization has to allocate capital to ensure adequate solvency of the captive insurance company.
• When large losses are paid by the captive, these are consolidated to the parent balance sheet and the organization ultimately pays these losses.
• Captives writing business in other territories will probably do so on a non-admitted basis and this may create compliance difficulties.
• Significant administrative cost, time and effort can be involved in the management of the captive by parent head office personnel.

Question 27

What are the three components of a Business Continuity Plan?

Answer 27

BCP should be viewed as having three components:
• The first response to any major event is to activate the crisis management plan to ensure appropriate response to the crisis and, in particular ensure that stakeholders are aware of the situation.
• Secondly, the organization will then seek to recover from the event by implementation of a disaster recovery plan. However, as the disaster recovery plan is being implemented, the organization will still need to consider the ongoing management of the crisis.
• When implementation of the crisis management arrangements is well advanced, and the disaster recovery plan has been activated, the organization will then be able to turn its attention to the third and broader operational issue of business continuity.

Question 28

What are the 5 elements of a BCP under ISO22301?

Answer 28

• Identify crucial risk factors already affecting the organization;
• Understand the needs and obligations of the organization;
• Establish, implement and maintain your BCMS;
• Measure the overall capability to manage disruptive incidents;
• Guarantee conformity with stated business continuity policy.

Question 29

What principles are required for a successful BCP?

Answer 29

The overriding principles appropriate to successful BCP are that the plan should be:
•	Comprehensive;
•	Cost-effective;
•	Practical;
•	Effective;
•	Maintained;
•	Practised.

Question 30

What are the key activities in Business Continuity Planning?

Answer 30

1. Assess company activities to identify critical staff, materials, procedures and equipment required to keep the business operating.
2. Identify suppliers, shippers, resources and other businesses that are contacted on a daily basis.
3. Plan what to do if any important buildings, plant or store were to become inaccessible.
4. Identify necessary actions to ensure continuity of critical business functions, especially payroll.
5. Decide who should participate in compiling and subsequently testing the emergency plans.
6. Define crisis management procedures and individual responsibilities for disaster recovery activities.
7. Co-ordinate with others, including neighbours, utility suppliers, suppliers, shippers and key customers.
8. Review the emergency plans annually and when the business changes and/or new members of staff are recruited.

Question 31

How does Business Continuity Planning and Business Interuption Assessment work differ?

Answer 31

The critical difference from BCP is that the emphasis of a BIA is the identification of the relative importance and criticality of each function, rather than identifying the events that could undermine that particular function.