Module 13: Business analysis, risk identification and initial assessment Flashcards
6-step process for risk identification and initial assessment
- ANALYSE THE BUSINESS operations and wider environment. Ensure that the business has clear objectives.
- IDENTIFY KEY RISKS to the business objectives in a structured way.
- AGREE ON THE RISKS faced, the relationships between them, and accountabilities for each risk and its management.
- EVALUATE the risks in terms of
— probability,
— severity and
— inter-dependency,
gross and net of existing controls. - Produce / update the RISK REGISTER, prioritising top risks for further analyses, quantification and risk mitigation.
- REVIEW the risk register regularly, especially in times of change.
6 Idea generation tools to help organisations identify risks
- SWOT analysis
- risk check lists
- risk prompt lists
- risk taxonomy
- case studies
- process analysis
7 Risk identification techniques
- brainstorming
- independent group analysis
- surveys
- gap analysis
- Delphi technique
- interviews
- working groups
7 Risk concepts
- exposure
- volatility
- probability
- severity
- time horizon
- correlation
- capital
Inherent risk
The risk to an entity
… in the absence of any actions
… that management might take
… to alter the risk’s likelihood or impact.
Residual risk
The remaining risk
… after management has taken action
… to alter the risk’s likelihood and impact.
It may also be a secondary risk resulting from taking another risk response action.
Risk map
Illustrates the effect that a risk might have on a company by ranking risk exposures by:
- SEVERITY on the X-AXIS and
- PROBABILITY on the Y-AXIS.
A risk map may also illustrate the results of control effectiveness by mapping both the inherent and residual risks.
Heat map
Plots severity against control effectiveness rating (to reveal where action needs to be taken).
Emerging risks
- either new risks, or changes in already known risks (or their control effectiveness)
- subject to high levels of uncertainty and ambiguity
- difficult to quantify using traditional risk assessment techniques
- important since they may represent a new business opportunity or have a significant impact on profitability, operations or strategy.
Emerging risks might be identified using horizon scanning.
Trends giving rise to emerging risk management challenges include (4)
- globalisation
- technology (cyber risk)
- changing market structures
- restructuring of businesses
3 examples of behavioural bias in financial decision-making
- overconfidence
- anchoring
- representative heuristics
The problem of bias can be reduced by (2)
- incorporating CHECKS AND BALANCES into the risk identification and assessment process
- introducing an OPTIMISM BIAS, where the capital cost is increased by a percentage based on past cost over-runs
Outline necessary conditions for an organisation to gain the benefits of risk identification and assessment
- have SENIOR SPONSORSHIP of the risk management programme
- be CONSISTENT ON THE STANDARDS used over time
- ensure quantitative and qualitative data is used so as to develop a COMPREHENSIVE RISK PROFILE for the whole organisation
- INTEGRATE risk identification with the entire risk management process
- DEMONSTRATE ADDED VALUE (not simply meet regulatory requirements).
Define SWOT analysis
This is a framework for generating ideas in a structured and comprehensive way.
A SWOT analysis considers --- Strengths, --- Weaknesses, --- Opportunities and --- Threats faced by the organisation, and can be used to establish what risks the company faces.
Define a risk checklist
A list of risks identified on past projects or initiatives the company has undertaken (experiential knowledge) or from an external source.
Care must be taken to ensure the information is relevant and up-to-date.
Define a risk prompt list
A list of the different categories of risk to consider and examples of each.
This may be produced at an industry-wide level by a supervisory authority.
Similarly risk trigger questions list situations and events that have previously emerged and that should be considered.
E.g. PEST(ELI) analysis
Define risk taxonomy
A structured way of classifying and breaking them down into components. This can help to ensure that those involved in the process have a common understanding of the terms used in risk identification.
It is probably less project-specific than a checklist and less industry-specific than an industry prompt list.
Define case studies
Examining case studies can help to understand the impact of risks in a specific context.
Define process analysis
By constructing flow charts that detail business processes, and the links between them, it is possible to identify the risks that arise at each stage.
This technique is particularly suited to operational risks.
State one potential advantage common to all risk identification tools, and one potential disadvantage common to all of these tools
A potential advantage of all of these tools is that they provide a clear structure for the risk identification process.
This may improve the quality of the output (compared to a less structured process), however the result may still not be comprehensive (eg due to bias in the process or the participants).
Cyber risk
Any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
Typically connected to:
- online activity
- internet trading
- technological networks
- storage of personal data
Define the risk identification technique:
brainstorming
Brainstorming involves gathering together a group of people and generating ideas in a freeform way.
It is often facilitated by an external consultant and requires all participants to be in the same location at the same time.
Define the risk identification technique:
independent group analysis
Each risk is presented by a member of the group and is then discussed by the group.
An agreed list of risks is ranked independently by each member of the group and the responses combined to form an overall ranking.
Define the risk identification technique:
surveys
Rather than gathering all the participants together, using online (or postal) surveys can generate a wide range of responses cheaply and without collusion between participants.
Define the risk identification technique:
gap analysis
A gap analysis is a particular type of questionnaire designed to identify the company’s current and desired risk exposures.
Although the Board may be best placed to identify the latter, line management may be involved in identifying the former.
Define the risk identification technique:
Delphi technique
The Delphi technique is a structured communication technique where the participants answer questionnaires in two or more rounds.
After each round, a facilitator provides an anonymous summary of the output from the previous round as well as the reasons they provided for their judgements.
The participants then revise their earlier answers in the light of the replies of other members of the panel.
The intention is that during the process the range of answers will decrease and the group will converge towards a consensus.
The technique aims to maintain anonymity and independence whilst addressing the difficulties of designing questionnaires and surveys.