Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

IRM - International Certificate In ERM > Module 1 - Unit 6 (Risk Response and Risk Treatment) > Flashcards

Module 1 - Unit 6 (Risk Response and Risk Treatment) Flashcards

1
Q

Provide one reason as to why it may not be possible to eliminate all of the high- and medium-severity risks.

A
  • Due to reasons of practically
  • or cost effectiveness
  • Flaws in the risk analysis process could result in an understating of the true levels of inherent risk severity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are priority significant risks

A
  1. High/very high impact in relation to the benchmark test for significance
  2. High/very high likelihood of materialising at or above the benchmark level.
  3. High/very high scope for cost-effective improvement in control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 4T’s in relation to risk treatment.

A

Treat
Tolerate
Transfer
Terminate

The 4T’s also links the previous stage in the risk management process (risk evaluation) to the next stage (monitoring and review).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define ‘risk treatment’

A

Risk treatment is the process to modify risk (ISO 31000).

Any action that is taken by the organisation to address a risk forms part of ‘internal control’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In relation to the 4T’s, what has been suggested as the 5th T?

A

Take the opportunity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe ‘Transfer’ in relation to the 4T’s

A
  • When residual impact is high, and likelihood is low.
  • May transfer risk exposure to a third party e.g. an insurance company = cost-effective
  • Very unlikely an organisation can fully transfer a risk, and therefore the term ‘risk sharing’ is often used.
  • Joint ventures, outsourcing, risk financing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe ‘Terminate’ in relation to the 4T’s.

A
  • Where residual impact and likelihood are high.
  • Avoid/eliminate
  • Terminate the activity which is associated with the risk, substituting an alternative activity, or outsourcing the activity with the risk.
  • Residual severity is too high after the organisation has considered all other possible cost-effective responses.
  • There may be circumstances where an organisation is unable to terminate a risk, because there is an obligation to deliver a service even if the risks are very high, or where the consequential loss of reputation would be deemed an even greater risk - only option left is to tolerate the residual risk that remains, even though it exceeds risk appetite, and to implement alternative control measures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe ‘Tolerate’ in relation to the 4T’s.

A
  • Where residual impact and likelihood are low
  • Accept/retain
  • Severity < risk appetite
  • We have treated this risk as far as we need, no further treatment is required.
  • Can be influenced by legal or regulatory requirements.
  • Certain control measures may have been applied because the inherent level of the risk may have been unacceptable.
  • Only becomes tolerable when all cost-effective control measures have been put in place, so the organisation is accepting or tolerating risk at its residual level.

• Some high-severity risks may be tolerated because:
1. We have failed to identify these risks.
2. We have underestimated the severity of these risks.’
• Even if it is not tolerable, ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define ‘Treat’ in relation to the 4T’s.

A
  • Where residual impact is low and likelihood is high.
  • Most common approach
  • Retaining it in the organisation and taking action to modify its severity, likelihood, or impact.
  • The purpose of treatment is that whilst continuing within the organisation with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level.
  • Actions to improve the standard of risk control will always be under constant review in an organisation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Draw a risk matrix of the 4T’s of hazard management.

A

See Figure 15.1 ‘Risk matrix and the 4T’s of hazard management’ Hopkin (2018).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Provide an example of a significant risk for each of the FIRM components.

A

Financial
• Insufficient funds available from parent company
• Fraud occurs because of inadequate internal controls.

Infrastructure
• Failure to achieve/maintain health and safety standards
• IT control systems not available because of virus or hacker activity
• Disruption because of failure of supplier

Reputational
• Product recall causes damage to product image and brand
• Regulator enforcement action causes loss of public confidence

Marketplace
• Decline in world or national economy reduces consumer spending
• Competitor substantially reduces prices to win market share

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name the 4E’s in relation to strategic risk response.

A

Explore
Expand
Exploit
Exist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe the 4E’s in relation to strategic risk response

(Risk versus reward in strategy).

A

EXPLORE
• A start-up operation will face a higher level of risk, but low potential rewards
• Entrepreneurial opportunities will be explored.

EXPAND
• As the organisation grows, reward will increase, but the level of risk will remain (high).
• The organisation will seek to achieve growth
• But if growth is too slow, or the level of risk remains too high (appetite exceeded) it will EXIT from those operations.

EXPLOIT
• After a period of growth, high reward, for a reduced risk.
• Mature operation

EXIST
• All mature operations are exposed to the possibility of decline
• Risk exposure is low, and so are potential rewards.
• Many organisations choose to exist in a mature, declining market.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Draw a diagram to show risk versus reward in strategy OR opportunity risks and risk appetite

A
  1. See figure 15.2 ‘Risk versus reward in strategy’ Hopkin (2018).
  2. See figure 15.3 ‘Opportunity risks and risk appetite’ Hopkin (2018).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Draw a risk register, showing clearly the columns that you would expect to see in order to track a risk effectively.

A
  • Risk description
  • Risk categorisation
  • Business unit
  • Inherent rating (split into impact and likelihood)
  • Current controls
  • Residual severity (split into impact and likelihood)
  • Target controls
  • Target date for implementing target controls
  • Risk ownership
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the PCDD controls for hazard type risks?

A

Preventative
Corrective
Directive
Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is control theory?

A
  • Control theory is an alternative classification of responses to hazard type risks
  • It describes a hierarchy of risk responses as PCDD (preventative, corrective, directive, and detective)
  • It provides some indication of when the different types of controls might be appropriate.
18
Q

What is a ‘preventative’ control, and provide an example of this type of control for the following types of risk:
• Health and safety risks
• Fraud risks

A
  • A preventative control is designed to eliminate the possibility of an undesirable risk materialising
  • Relevant to actions that are taken before the event occurs

Health and safety risks:
• Elimination or removal of the source of the hazard
• Substitution of the hazard with something less risky

Fraud risks:
• Limits of authorisation and separation of duties
• Pre-employment screening of potential staff

19
Q

What is a ‘corrective’ control, and provide an example of this type of control for the following types of risk:
• Health and safety risks
• Fraud risks

A
  • A corrective control is designed to limit the scope for loss, correct undesirable circumstances, and reduce any undesirable risk exposures.
  • Relevant to loss prevention, damage limitation, and cost containment
  • Often in place because of regulatory requirements

Health and safety risks:
• Engineering containment using barriers or guards.
• Exposure reduction by job rotation or limitation on hours worked

Fraud risks:
• Password or other access controls
• Staff rotation and regular change of supervisions.

20
Q

What is a ‘directive’ control, and provide an example of this type of control for the following types of risk:
• Health and safety risks
• Fraud risks

A
  • Based on giving directions to people to behave in a certain way and/or follow established procedures
  • Relevant to loss prevention, damage limitation, and cost-containment.

Health and safety risks:
• Training and supervision to enforce procedures
• Instructions for the use of personal protective equipment/clothing
• Improved welfare facilities

Fraud risks:
• Accessible, detailed, written systems and procedures.
• Training to ensure understanding of procedures.

21
Q

What is a ‘detective’ control, and provide an example of this type of control for the following types of risk:
• Health and safety risks
• Fraud risks

A
  • Designed to identify that a hazard risk has materialised
  • Actions can be taken to avoid further or greater losses/circumstances do not deteriorate further
  • Their effect is, by definition ‘after the event’

Health and safety risks:
• Health monitoring to enquire about potential symptoms
• Health surveillance to find early symptoms
• Early detection of lung disease from dust exposure, and deafness caused by exposure to occupational noise.

Fraud risks:
• Reconciliation, audit and review by internal audit
• Whistleblowing policy to report (alleged) fraud
• Stock or asset checks

22
Q

What is an ‘anticipatory control’?

A
  • An anticipatory control = response is relevant to emerging future situations.
  • These are forward-looking, and similar to directive controls, but they tend to be more long-term and strategic in nature.
  • Directive controls are based on the organisation’s present day internal and external environment
  • But anticipatory controls anticipate changes to those environments and prepares and organisation for such changes.
23
Q

Explain why disaster recovery planning (DRP) and business continuity planning (BCP) can be considered as DIRECTIVE and CORRECTIVE controls.

A
  • When an organisation is faced with a crisis, it will be in a much better position to cope if plans have been considered and put in place before the crisis arises.
  • Sometimes crisis management will involve the use of alternative facilities that have been put in place before the crisis arose = Could be argued these are CORRECTIVE controls.
  • In all cases, crisis management will involve direction to the involved parties as to how they should behave if the crisis arises = Could be argued these are DIRECTIVE controls.
  • An alternative approach is to say DRP and BCP are concerned with crisis management and cannot easily be classified as a PCDD type of control.
24
Q

Explain why disaster recovery planning (DRP) and business continuity planning (BCP) should not be considered as a detective control?

A
  • Normally, detective controls relate to identification of circumstances where the risk has materialised at a fairly low level with limited impact and consequences.
  • Clearly BCP and DRP relate to circumstances where risks have materialised at crisis level = inappropriate to classify DRP and BCP as detective controls.
  • However, it can be argued, DRP and BCP are both methods of COST-CONTAINMENT designed to ensure minimum disruption after a hazard risk has materialised, so they align with detective controls.
  • They do not conveniently fit into PCDD classification system for controls because they are POST-LOSS procedures
25
Q

Define ‘Non-admitted insurance’.

A

• Non-admitted insurance is insurance written by an insurance company with no presence in a territory.

26
Q

Define ‘Monitoring and review’

A

• Monitoring and review is a feedback mechanism
• Ensures that the organisation monitors risk performance and learns from experience.
- IRM (2002)

By monitoring and reviewing our RM activities, the following can be uncovered:
• Cost of risk controls
• Learning from controls
• Learning from risk events

27
Q

What is a ‘control vector’?

A
  • A control vector is represented by a line
  • It shows the effect of each individual risk control measure
  • The longer the line = greater effect of the control = greater the control effort (management time, effort, and cost).
28
Q

Draw a diagram to represent cost-effectiveness controls.

A

See Figure 23.2 ‘Cost-effective controls’ Hopkin (2018).

29
Q

List 5 benefits from applying ‘monitoring and review’ across the whole risk management process.

A
  1. To ensure our responses are effective and efficient
  2. To identify and manage potential adverse side effects and unintended consequences of our responses.
  3. To build up knowledge to improve risk identification and analysis.
  4. To better link risks to objectives, key dependencies, core processes, and stakeholder expectations.
  5. To detect and prepare for changes in our internal and external context
  6. To detect and prepare for changes and trends in our risks.
  7. To identify and prepare for new and emerging risks
  8. To identify good risk management practice, build on it and disseminate it to other parts of the organisation.
30
Q

What is the fundamental principle of insurance?

A

Indemnity

31
Q

Describe insurance

A
  • The insured organisation makes a contract with the insurer for an insurance policy that provides indemnity for insured events
  • should an insured event occur that results in loss, will put the insured back in the position (at least financially) as if the loss has never occurred
  • i.e. the insurance company is contracted to pay a certain sum of money in the event of defined circumstances arising or defined events occurring.
  • Paying a known premium to take that risk.
32
Q

Name the three categories of insurance / insurance types and provide two examples of each

A 
1. Mandatory, legal, and other contractual obligations
• Employer’s liability
• Public liability
• Motor Third Party
• Product liability
• Professional Indemnity
2. Balance sheet / profit and loss protection
• Business Premises
• Business Interruption
• Asset Protection
• Motor accidental damage
• Terrorism
• Loss of key person
  1. Employee benefit / protection of employee assets
    • Life and health
    • Director’s and officers’ liability
33
Q

State three reasons why an organisation buys insurance.

A
  1. Statutory and client requirements
  2. To cover the increased cost of operations
  3. Recover the cost of repairing the damage.
  4. Restoring the business following a loss
34
Q

What is ‘First-party’ insurance?

A

Insurance company pays for losses suffered directly by the insured (e.g property damage).

35
Q

What is ‘Third-party’ insurance?

A

Insurance company pays for losses to other parties because of the activities of the insured (e.g motor third-party, and public/general liability).

36
Q

When looking at purchasing insurance, what are the 6C’s an organisation will consider?

A
  • Cost
  • Coverage
  • Capacity
  • Capabilities
  • Claims
  • Compliance
37
Q

List two advantages and disadvantages associated with the use of insurance as a risk transfer mechanism

A

Advantages:
• Provides indemnity against an unexpected loss.
• Insurance can reduce uncertainty regarding hazard events that may occur
• Can provide economic benefits to the insured (the loss may be greater than the insurance premium)
• Can provide access to specialist services (e.g. advice on loss control).

Disadvantages:
• The delays often experience in obtaining settlement of an insurance claim
• Difficulties that can arise in quantifying the financial costs associated with the loss
• May be disputes regarding the extent of the cover that has been purchased and the exact terms and conditions of the insurance contract.
• The insured may have difficulties in deciding the limit of indemnity that is appropriate for liability exposures.
• Cost of insurance varies significantly during different cycles of the insurance markets.

38
Q

What is a ‘Captive Insurance company’ and what is its purpose?

A
  • Organisations self-insuring by establishing its own insurance company subsidiary.
  • Therefore, a captive insurance company is an insurance company owned by an organisation that is not otherwise involved in insurance.
  • The purpose of a captive insurance company is to provide insurance capacity for the organisation by using its internal financial resources to fund certain types of anticipated losses or insurance claims.
39
Q

Name two advantages and disadvantages of a captive insurance company.

A

Advantages:
• Access reinsurance markets
• Can provide cover to group companies that may not be available from other insurers
• Are able to offer insurance cover to third parties
• Can decide to locate their domicile in any country, not simply those with favourable regulatory and accounting regimes
• Tax benefits
• Insuring risks that would otherwise be insurable
• Greater awareness of loss control

Disadvantages:
• Exposed to more insurance claims
• Allocation of capital
• Organisation pays for losses
• Creates compliance difficulties
• Administrative cost, time and effort
40
Q

Describe the three components of a Business Continuity Plan.

A

First response:

• Activate the crisis management plan

  • to ensure appropriate response to the crisis (major event)
  • to ensure that (external) stakeholders are aware of the situation
  • Effective communication to ensure actions are taken to manage the associated stakeholder reaction and expectations so damage to reputation from the incident is kept to a minimum.

Second response:

• Implementation of the disaster recovery plan

  • mainly concerned with the actions to restore the infrastructure of the organisation
  • will need to consider the ongoing management of the crisis
  • to manage a crisis as soon as possible after it happens and minimise the immediate damage
  • DRP’s are usually well-defined, documented, and tested

Third response:
• Business continuity
- Implementation of crisis management is well advanced
- DRP has been activated
- Organisation will be able to turn its attention to the broader operational issue of business continuity
- to recover from the crisis efficiently and effectively
- allowing the organisation to continue operating with minimal distruption

41
Q

What is a ‘business impact analysis (BIA)’ ?

A
  • BIA will identify the critical nature of each business function by assessment of the impact of interruption to that activity.
  • This information is required in order to identify appropriate continuity strategies for each function.

BIA has three clear purposes:

  1. Identify mission-critical activities and the required recovery time in the event of the disruption.
  2. Establish the impact potential and the resource requirements for recovery within the agreed timescale
  3. Determine whether the likely impact is within the risk appetite of the organisation as the basis for business continuity strategy.

IRM - International Certificate In ERM (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions