Module 13: Business analysis, risk identification and initial assessment Flashcards

1
Q

6-step process for risk identification and initial assessment

A
  1. ANALYSE THE BUSINESS operations and wider environment. Ensure that the business has clear objectives.
  2. IDENTIFY KEY RISKS to the business objectives in a structured way.
  3. AGREE ON THE RISKS faced, the relationships between them, and accountabilities for each risk and its management.
  4. EVALUATE the risks in terms of
    — probability,
    — severity and
    — inter-dependency,
    gross and net of existing controls.
  5. Produce / update the RISK REGISTER, prioritising top risks for further analyses, quantification and risk mitigation.
  6. REVIEW the risk register regularly, especially in times of change.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

6 Idea generation tools to help organisations identify risks

A
  • SWOT analysis
  • risk check lists
  • risk prompt lists
  • risk taxonomy
  • case studies
  • process analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

7 Risk identification techniques

A
  • brainstorming
  • independent group analysis
  • surveys
  • gap analysis
  • Delphi technique
  • interviews
  • working groups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

7 Risk concepts

A
  1. exposure
  2. volatility
  3. probability
  4. severity
  5. time horizon
  6. correlation
  7. capital
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Inherent risk

A

The risk to an entity
… in the absence of any actions
… that management might take
… to alter the risk’s likelihood or impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Residual risk

A

The remaining risk
… after management has taken action
… to alter the risk’s likelihood and impact.

It may also be a secondary risk resulting from taking another risk response action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk map

A

Illustrates the effect that a risk might have on a company by ranking risk exposures by:

  • SEVERITY on the X-AXIS and
  • PROBABILITY on the Y-AXIS.

A risk map may also illustrate the results of control effectiveness by mapping both the inherent and residual risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Heat map

A

Plots severity against control effectiveness rating (to reveal where action needs to be taken).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Emerging risks

A
  • either new risks, or changes in already known risks (or their control effectiveness)
  • subject to high levels of uncertainty and ambiguity
  • difficult to quantify using traditional risk assessment techniques
  • important since they may represent a new business opportunity or have a significant impact on profitability, operations or strategy.

Emerging risks might be identified using horizon scanning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Trends giving rise to emerging risk management challenges include (4)

A
  • globalisation
  • technology (cyber risk)
  • changing market structures
  • restructuring of businesses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3 examples of behavioural bias in financial decision-making

A
  • overconfidence
  • anchoring
  • representative heuristics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The problem of bias can be reduced by (2)

A
  • incorporating CHECKS AND BALANCES into the risk identification and assessment process
  • introducing an OPTIMISM BIAS, where the capital cost is increased by a percentage based on past cost over-runs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Outline necessary conditions for an organisation to gain the benefits of risk identification and assessment

A
  • have SENIOR SPONSORSHIP of the risk management programme
  • be CONSISTENT ON THE STANDARDS used over time
  • ensure quantitative and qualitative data is used so as to develop a COMPREHENSIVE RISK PROFILE for the whole organisation
  • INTEGRATE risk identification with the entire risk management process
  • DEMONSTRATE ADDED VALUE (not simply meet regulatory requirements).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define SWOT analysis

A

This is a framework for generating ideas in a structured and comprehensive way.

A SWOT analysis considers 
  --- Strengths, 
  --- Weaknesses, 
  --- Opportunities and 
  --- Threats 
faced by the organisation, and can be used to establish what risks the company faces.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define a risk checklist

A

A list of risks identified on past projects or initiatives the company has undertaken (experiential knowledge) or from an external source.

Care must be taken to ensure the information is relevant and up-to-date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define a risk prompt list

A

A list of the different categories of risk to consider and examples of each.

This may be produced at an industry-wide level by a supervisory authority.

Similarly risk trigger questions list situations and events that have previously emerged and that should be considered.

E.g. PEST(ELI) analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define risk taxonomy

A

A structured way of classifying and breaking them down into components. This can help to ensure that those involved in the process have a common understanding of the terms used in risk identification.

It is probably less project-specific than a checklist and less industry-specific than an industry prompt list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define case studies

A

Examining case studies can help to understand the impact of risks in a specific context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define process analysis

A

By constructing flow charts that detail business processes, and the links between them, it is possible to identify the risks that arise at each stage.

This technique is particularly suited to operational risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

State one potential advantage common to all risk identification tools, and one potential disadvantage common to all of these tools

A

A potential advantage of all of these tools is that they provide a clear structure for the risk identification process.

This may improve the quality of the output (compared to a less structured process), however the result may still not be comprehensive (eg due to bias in the process or the participants).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Cyber risk

A

Any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.

Typically connected to:

  • online activity
  • internet trading
  • technological networks
  • storage of personal data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define the risk identification technique:

brainstorming

A

Brainstorming involves gathering together a group of people and generating ideas in a freeform way.

It is often facilitated by an external consultant and requires all participants to be in the same location at the same time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define the risk identification technique:

independent group analysis

A

Each risk is presented by a member of the group and is then discussed by the group.

An agreed list of risks is ranked independently by each member of the group and the responses combined to form an overall ranking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define the risk identification technique:

surveys

A

Rather than gathering all the participants together, using online (or postal) surveys can generate a wide range of responses cheaply and without collusion between participants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define the risk identification technique:

gap analysis

A

A gap analysis is a particular type of questionnaire designed to identify the company’s current and desired risk exposures.

Although the Board may be best placed to identify the latter, line management may be involved in identifying the former.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Define the risk identification technique:

Delphi technique

A

The Delphi technique is a structured communication technique where the participants answer questionnaires in two or more rounds.

After each round, a facilitator provides an anonymous summary of the output from the previous round as well as the reasons they provided for their judgements.

The participants then revise their earlier answers in the light of the replies of other members of the panel.

The intention is that during the process the range of answers will decrease and the group will converge towards a consensus.

The technique aims to maintain anonymity and independence whilst addressing the difficulties of designing questionnaires and surveys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Define the risk identification technique:

interviews

A

Individuals are interviewed and the results collated, normally by an independent, external reviewer.

28
Q

Define the risk identification technique:

working groups

A

Small number of interested individuals are tasked with considering a specific risk (or group of risks).

The members of the group are normally specialists.

It may be extended to the analysis of the risks identified - especially if they are unquantifiable.

29
Q

Problem of bias

A

Without a supportive risk culture, it is possible that risk are not identified, assessed or reported in a true and honest way.

This is known as the problem of bias.

30
Q

11 Sources of bias

A
  • Insufficient care may have been devoted to the identification or analysis of risks.
  • Key risks may have been accidentally or deliberately omitted.
  • Incorrect assumptions that certain risks are independent of each other may have concealed the true likelihood of “chain reactions” of adverse events.
  • The likelihood of disasters occurring may have been underestimated because of inadequate past experience.
  • Cashflows may have been guessed or, worse, deliberately biased towards optimism.
  • Insufficient amount may have been taken of the future ups and downs of the economic cycle.
  • The risks associated with new technologies may have been given inadequate attention.
  • Not all the effects of the project on the sponsor’s other business may have been considered
31
Q

11 Sources of bias

A
  • Insufficient care may have been devoted to the identification or analysis of risks.
  • Key risks may have been accidentally or deliberately omitted.
  • Incorrect assumptions that certain risks are independent of each other may have concealed the true likelihood of “chain reactions” of adverse events.
  • The likelihood of disasters occurring may have been underestimated because of inadequate past experience.
  • Cashflows may have been guessed or, worse, deliberately biased towards optimism.
  • Insufficient amount may have been taken of the future ups and downs of the economic cycle.
  • The risks associated with new technologies may have been given inadequate attention.
  • Not all the effects of the project on the sponsor’s other business may have been considered.
  • Credit may have been taken for benefits not directly attributable to the project.
  • The assumptions on which the estimates are based may not correspond with senior management’s views of the world in future.
  • Arithmetic or spreadsheets may contain errors which lead to substantially incorrect evaluation, or there may be failures of logic in building the model.

Bias can similarly take place in reporting to the Board about the ongoing risks facing the enterprise as a whole.

32
Q

Behavioural finance

A

The study of unintentional bias in finance.

The field looks at how a variety of mental biases and decision-making errors affect financial decisions.
It relates to the psychology that underlies and drives financial decision-making behaviour.

33
Q

The key step which should be taken to minimise the risk of bias

A

To validate the appraisal work by competent and genuinely independent checking, and by reference where possible to the outcomes of similar projects undertaken previously.

34
Q

DISADVANTAGE of the risk identification technique:

brainstorming

A

Poorly run brainstorming sessions run the risk of convergent thinking (or group-think) or uneven participation lading to an incomplete or biased identification of risks.

Participants should come from various departments across the organisation and have different backgrounds.

Even in specialist areas, “outsiders” can bring fresh ideas that can inspire the experts.

35
Q

DISADVANTAGE of the risk identification technique:

Independent group analysis

A

An unbalanced group (eg too many marketing executives) may produce a biased list of risks and rankings.

36
Q

DISADVANTAGE of the risk identification technique:

Surveys

A

There is the problem of framing - the risk that the way in which the question is asked influences the response.

Pilot surveys can help improve the survey design.

Surveys can also suffer from poor response rates.

The quality of a survey is only as good as the quality of both the design and the analysis of the response data.

37
Q

DISADVANTAGE of the risk identification technique:

Gap analysis

A

It may be difficult and/or costly to engage The Board in such a process.

38
Q

DISADVANTAGE of the risk identification technique:

Delphi technique

A

The technique is likely to be time-consuming and therefore costly, especially as an external expert facilitator is likely to be required.

39
Q

DISADVANTAGE of the risk identification technique:

Interviews

A

Unlike surveys, immediate clarification can be sought, however this technique can be time-consuming (and hence expensive), leading to restrictions on the number of interviews conducted. Involving multiple interviewers can lead to inconsistencies.

40
Q

DISADVANTAGE of the risk identification technique:

Working groups

A

If the members of the group are specialist, as is normal, then the identification will be narrow rather than comprehensive.

In addition, specialists may want to work at a higher level of precision than is cost justified.

41
Q

7 Key elements in a risk register

A
  • a labelling or numbering system so that risks can be identified easily
  • the category of risk
  • a description of each risk that is clear and understandable to all
  • an (initial) assessment of the likelihood of the risk occurring, its impact, and perhaps the timeframe over which it is applicable.
  • the risk response action, its cost and expected residual / secondary risks
  • individuals involved in monitoring and managing the risk
  • document control information, so it is clear when it was last updated and by whom
42
Q

List 7 risk concepts

A
  • exposure
  • volatility
  • probability
  • severity
  • time horizon
  • correlation
  • capital
43
Q

Outline the risk concept:

exposure

A

The maximum loss that can be suffered if an event occurs.

Bear in mind that harm may not have an immediate monetary value (e.g. damage to brand name)

44
Q

Outline the risk concept:

volatility

A

A measure of the variability within the range of possible outcomes.

When describing market risk, volatility is defined as the standard deviation of returns.

45
Q

Outline the risk concept:

probability

A

the likelihood that an event occurs

46
Q

Outline the risk concept:

severity

A

the loss that is likely to be incurred if an event occurs

severity is generally lower than exposure (which is the maximum loss).

47
Q

Outline the risk concept:

time horizon

A

the length of time for which an organisation is exposed to risk or

the time required to recover from (or reverse the effects of) an event

48
Q

Outline the risk concept:

correlation

A

correlation is the degree to which differing risks behave similarly in response to common events.

Risk concentration, the opposite of diversification, results in high risk correlations.

49
Q

Outline the risk concept:

capital

A

A business holds capital to:

  • manage its cashflow (working capital)
  • facilitate growth / new ventures (development capital)
  • to cover unexpected losses arising from exposure to risk (risk capital)
50
Q

Outline the benefits of the risk mapping process

A

Risk mapping can be a useful process, since:

  • it gets people together from across the organisation to talk about risks
  • it improves the enterprise’s understanding of the risks it faces …
  • … the effect of its risk management activities…
  • … and which risks require further attention
  • the final risk map is an excellent visual tool for reporting to the Board on risk.
51
Q

Outline what factors might be used to rank risk controls according to their perceived effectiveness

A
  • risk exposures are within tolerance levels
  • controls are in place
  • risks are linked to potential impact on return
  • risk metrics / dashboard reporting is established
52
Q

Discuss why emerging risks are important

A
  • knowledge of such risks will influence corporate strategy
  • they may affect the profitability of the organisation
  • they may yield opportunities for a new product. E.g. a new potentially fatal disease may represent a risk to a life insurer’s existing life assurance business and an opportunity for a new protection product.
53
Q

Outline 4 inter-related trends that give risk to emerging risk-management challenges

A
  1. globalisation - the increased interdependency of the world’s economies and markets
  2. technology - the new operational risks arising from technology-driven business.
  3. changing market structures - as markets are deregulated and privatised
  4. restructuring - the effects of mergers and acquisitions, joint ventures, outsourcing and business re-engineering
54
Q

3 Areas of emerging IT risks

A
  1. cyber security
  2. cloud computing
  3. social media
55
Q

3 Types of behavioural biases

A
  • overconfidence
  • anchoring
  • representative heuristics
56
Q

Why is risk capital important?

A
  • the financial strength of a company will be judged by reference to the relative levels of risk and risk capital
  • from a debtor’s perspective, risk capital provides protection against unexpected events and determines credit ratings
  • from an equity-holder’s perspective, returns should be judged relative to the level of risk capital
  • similarly, the allocation of risk capital to operational units enables risk-adjusted profitability to be determined and creates an “internal capital market” within the organisation.
57
Q

Behavioural bias:

overconfidence

A

the problem that people tend to overestimate their own abilities, knowledge and skills.

58
Q

Behavioural bias:

anchoring

A

the problem that people base perceptions on past experience or “expert” opinion

59
Q

Behavioural bias:

representative heuristics

A

people find more probable those things that they find easier to imagine

60
Q

4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)

A
  1. FOUNDATION SETTING
    - – gaining executive sponsorship
    - – organising and planning of resources
    - – defining a risk taxonomy
    - – building customised risk identification and assessment tools
    - – educating and training project teams and management
  2. RISK IDENTIFICATION, ASSESSMENT AND PRIORITISATION
    - – understanding business objectives, risk appetite as well as regulatory and policy requirements
    - – undertaking risk assessments, both top-down and bottom-up
    - – producing risk reports and risk maps
    - – prioritising risks
  3. DEEP DIVES, RISK QUANTIFICATION AND MANAGEMENT
    - – more detailed assessments of the top risks
    - – producing risk tolerance statements and tracking KRIs
    - – determining risk management strategies and the total cost of risk (for pricing purposes)
  4. BUSINESS AND ERM INTEGRATION
    - – linking risk assessment with both strategic planning and business review processes
    - – integrating risk assessment into everyday business operations
    - – conducting scenario analysis and stress testing
    - – reporting on risk
    - – creating and maintaining loss/event databases
    - – establishing appropriate risk-escalation policies
61
Q

4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)

  1. FOUNDATION SETTING
A

— gaining executive sponsorship

— organising and planning of resources

— defining a risk taxonomy

— building customised risk identification and assessment tools

— educating and training project teams and management

62
Q

4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)

  1. RISK IDENTIFICATION, ASSESSMENT AND PRIORITISATION
A

— understanding business objectives, risk appetite as well as regulatory and policy requirements

— undertaking risk assessments, both top-down and bottom-up

— producing risk reports and risk maps

— prioritising risks

63
Q

4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)

  1. DEEP DIVES, RISK QUANTIFICATION AND MANAGEMENT
A

— more detailed assessments of the top risks

— producing risk tolerance statements and tracking KRIs

— determining risk management strategies and the total cost of risk (for pricing purposes)

64
Q

4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)

  1. BUSINESS AND ERM INTEGRATION
A

— linking risk assessment with both strategic planning and business review processes

— integrating risk assessment into everyday business operations

— conducting scenario analysis and stress testing

— reporting on risk

— creating and maintaining loss/event databases

— establishing appropriate risk-escalation policies

65
Q

PEST(ELI) analysis

A
one type of RISK PROMPT LIST covering
- Political, 
- Economic, 
- Social
- Technological
- Environmental, 
- Legal 
- Industry
risks.