Module 1 - Unit 6 - Risk Response and Risk Treatment Flashcards
Why is it useful to consider inherent risk as well as residual risk?
• Considering the inherent level will enable the effect of individual control measures to be identified.
What are the three levels of risk in a risk matrice?
- Inherent
- Current (often referred to as residual but this implies risk is static which is misleading)
- Target
What are the four T’s? Explain each one.
An organisation will normally tolerate a hazard risk if the risk’s perceived severity is less than the risk appetite. Clearly, an organisation will tend to tolerate low severity risks. However, it may tolerate some high-severity risks – for example, where it has failed to identify risks or has under- estimated the severity of the risk.
An organisation can treat a risk by retaining it in the organisation and taking action to modify its severity, likelihood or impact. You will also see that the most common approach to respond to risks is through the ‘treat’ option
An organisation may try to transfer risk exposure to a third party, such as an insurance company. In practice though it is very unlikely an organisation can fully transfer a risk and for that reason the term ‘risk sharing’ is often used. Other examples of risk transfer include joint ventures, outsourcing and risk financing. These are areas that you will study in later modules.
To terminate a risk an organisation will often need to terminate the activity which is associated with the risk. Termination is something that organisations usually undertake reluctantly and because the residual severity of the risk is simply too high after the organisation has considered all other possible cost-effective responses (from transfer or treat).
What is the distinction between impact and magnitude?
We can say that impact is a risk analysis measure at the residual risk level, whereas magnitude is a risk analysis measure at the inherent risk level.
Using the FIRM score card what are some example dependencies and significant risks under the Financial heading?
Dependencies
Availability of funds
Correct allocation of funds
Internal control
Liabilities under control
Risks
Insufficient funds available from parent company
Inadequate profit because of incorrect capital expenditure decisions
Fraud occurs because of inadequate
Higher than expected liabilities arise in the pension fund
Using the FIRM score card what are some example dependencies and significant risks under the Infrastructure heading?
Dependencies
People
Premises
Products
Processes
Risks
Failure to achieve/maintain health and safety standards
Damage to key location caused by insured peril
IT control systems not available because of virus or hacker activity
Disruption because of failure of supplier
Using the FIRM score card what are some example dependencies and significant risks under the Reputation heading?
Dependencies
Reputational Brand
Public opinion
Regulators
CSR
Risks
Product recall causes damage to product image and brand
Lost sales or revenue because of change in public tastes
Regulator enforcement action causes loss of public confidence
Allegations of unethical productsourcing causes loss of sales
Using the FIRM score card what are some example dependencies and significant risks under the Marketplace heading?
Dependencies
Regulatory environment
Economic health
Product development
Competitor behaviour
Risk
Change in tax regime results in unbudgeted tax demands
Decline in world or national economy reduces consumer spending
Changes in technology reduce product appeal and sales
Competitor substantially reduces prices to win market share
What are the 4Es of opportunity management? What might be considered the 5th ‘E’?
Explore
Exit
Exploit
Exist
Expand may be considered an alternitve to Exit if circumstances permit.
What are the four risk responses categories?
Control theory describes a hierarchy of risk responses as preventive, corrective, directive and detective (abbreviated as ‘PCDD’).
Give examples of preventative controls.
Examples of preventative controls include policies, standards, processes, procedures, encryption, firewalls, and physical barriers. Pre event.
Elimination or removal of the source of the hazard
Substitution of the hazard with something less risky
Passwords or other access controls
Limits of authorization and separation of duties
Pre-employment screening of potential staff
Give examples of corrective controls
Corrective Control – designed to “remediate errors, omissions and unauthorised uses and intrusions once they are detected. Post event.
Engineering containment using barriers or guards
Exposure reduction by job rotation or limitation on hours worked
Staff rotation and regular change of supervisors
Give examples of Directive controls
Pre event actions
Training and supervision to enforce procedures
Personal protective equipment and improved welfare facilities
Accessible, detailed, written systems and procedures
Training to ensure understanding of procedures
Give examples of Detective controls
Post event manifestation.
Health monitoring to enquire about potential symptoms
Health surveillance to find early symptoms
Reconciliation, audit and review by internal audit
Whistleblowing policy to report (alleged) fraud
What are the advantages and disadvantages of Preventative controls?
- Advantage – Eliminates the hazard, so that no further consideration of it is required. In reality, this may not be a cost-effective option
- Disadvantage – May not be possible for operational reasons.
- Disadvantage – Beneficial activities may be eliminated and either outsourced or replaced with something less effective and efficient.
What are the advantages and disadvantages of Corrective controls?
- Advantage – Can be simple and cost effective.
- Advantage – Do not require that existing practices and procedures are eliminated or replaced with alternative methods of work.
- Disadvantage – The marginal benefits that are achieved may be difficult to quantify or confirm as cost-effective.
- Disadvantage – May be over-engineered and their cost is disproportionate to the benefit that is achieved.
- Disadvantage – can introduce costs and inefficiency, particularly if required by regulation.
What are the advantages and disadvantages of Directive controls?
- Advantage – Risk control requirements can be explained during a normal training and instruction session provided for staff.
- Disadvantage – Represent a low level of control that may require constant supervision in order to ensure that the correct procedures are being followed.
- Disadvantage – If not implemented in practice the organization will be more exposed to allegations of poor risk control.
What are the advantages and disadvantages of Detective controls?
- Advantage – Often simple to administer.
- Disadvantage – The risk will already have materialized before it is detected (though this may help reduce impact e.g. early discovery of a fraud or heath condition via Occupational Health monitoring)
Give examples of risk arising under each heading of FIRM
- Financial – fraud and historical liabilities such as disease exposure or pension liabilities.
- Infrastructure – Health and safety, property fire protection, IT security, HR risks
- Reputation – Brand protection and environment
- Market – Technology developments and regulatory risks
What are the benefits of reviewing near misses?
By reviewing the near-miss event we can understand better:
• Why it occurred.
• Whether we had previously identified it as a possible risk.
• Why it did not have a big impact.
• Whether we had correctly analysed its likelihood and impact.
What are the advantages and disadvantages of insurance?
Advantages of insurance
• It provides indemnity against an expected loss.
• Insurance can reduce uncertainty regarding hazard events that may occur.
• It can provide economic benefits to the insured, because the loss may be greater than the insurance premium.
• Insurance can provide access to specialist services as part of the insurance premium. These services may include advice on loss control.
Disadvantages of insurance
• Delays often experienced in obtaining settlement of an insurance claim and the difficulties that can arise in quantifying the financial costs associated with the loss.
• Disputes regarding the extent of the cover that has been purchased and the exact terms and conditions of the insurance contract.
• Difficulty in deciding the limit of indemnity that is appropriate for liability exposures. This may result in under-insurance and the subsequent failure to have claims paid in full.
What are the three main classes of insurance? Give examples.
- Mandatory, legal and contractual obligations
Employers’ liability – compensation to employees injured at work
Public liability – compensation to public or customers
Motor third party – compensation following motor accident
Product liability – compensation for damage or injury
Professional indemnity – compensation to client for negligent advice
- Balance sheet/profit and loss protection
Business premises – damage to premises by adverse events
Business interruption – loss of profit and increased cost of working
Asset protection – losses, such as loss of cash, goods in transit, credit risk and fidelity guarantee (staff dishonesty)
Motor accidental damage – repair of own vehicles
Terrorism – compensation for damage caused by terrorism
Loss of a key person – compensation on loss of key staff member
- Employee benefit/protection of employee assets
Life and health – benefits to employees that can include: life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses
Directors’ and officers’ liability – legal and compensation costs
What are the 6 C’s of insuracne buying?
Cost - cost of insurance is defined by the insurance premium that is required from the organization. A second component of the cost is the level of self-insurance.
Coverage - Insurance policies usually have limitations, warranties and exclusions
Capacity - one insurance company on its own may not be willing to offer coverage up to the full value of the organisation’s assets.
Capabilities - Many insurance companies offer services in addition to insurance. These may include loss control services and assistance with business continuity planning. This also includes the need for buyers of insurance to pay greater attention to the financial status or credit rating awarded to individual insurance companies.
Claims - The handling of insurance claims can be a detailed and forensic exercise. Sometimes claims handling involves complex legal procedures involving specialist engineers and accountants.
Compliance – Payment of IPT, provision of insurance documents in a timely manner, and whether the insurer is admitted in the organisation’s territories.
What is a captive insurance company?
A captive insurance company is an insurance company owned by an organization that is not otherwise involved in insurance.
