Module 2 - Past Paper (June 2018) Flashcards
Answers from on a high scoring paper
ALARP is one of the fundamental principles of risk management for health and safety. Describe how you would determine that risk had been reduced ‘as low as reasonably practicable.’
A risk impact and likelihood should be assessed to determine its severity. This could be completed by using a risk matrix. Risk responses or treatments (controls) should then be reviewed by determining cost and time impacts. If controls are used to mitigate the risk to before the point where the cost of the control outweighs the benefit of the risk reduction, the risk can be considered reduced to as low as reasonably .
Give an example of an organisational function you would expect to find in each line of the 3 Lines of Defence Model.
1st line of defence: sales team (‘the business’)
2nd line of defence: Enterprise Risk team
3rd line of defence. Internal Audit
Define what is meant by the ‘information and communication’ phase of the COSO ERM framework.
The information and communication phase of the COSO ERM framework relates to the sharing of risk assessment results and other useful risk data with stakeholders. This can be informally, or via the formal risk reporting structure. Information can include RCSA results, incidents logs, remediation plans and risk management process .
Describe three ways in which Corporate Social Responsibility (CSR) can benefit an organisation.
CSR can benefit an organisation by:
1) Attracting, retaining and motivating talent to the firm.
2) Helping the firm achieve its license to operate.
3) Managing and mitigating risks associated with CSR
* Examiners notes: This answer is a bit too short for a ‘describe’ question. The candidate could have scored more marks by expanding on each of these valid points.*
Identify the categories of risk specified by Hopkin.
Hopkins identifies four categories of risk: control, hazard, opportunity and compliance.
Complete the following sentence by entering the four missing words: _______ risks________objectives, and the level of _______ of such risks is a measure of their __________
Hazard risks ______ objectives, and the level of impact of such risks is a measure of their ______.
State the first stage in the risk management process according to ISO 31000
The first stage in the risk management process according to ISO31000 is to establish context.
Describe four aspects of an organisation’s internal context.
4 aspects of an organisation’s internal context:
- Nature
- Stakeholders (staff)
- Organisational structure (depts/divisions)
- Size and complexity
Examiner’s note: We awarded 1.5 marks for this answer, with only the word ‘nature’ being too vague to be awarded any credit here.
Define what the overall approach of Governance, Risk and Compliance is based on.
tbd
Describe the six components of the PESTLE risk classification system and state what type of risk this tool is best used for analysing.
PESTLE Risk Classification Systems. Examples:
- Political: Change in government or policies.
- Economics: change in labour market or interest rates.
- Socio-Cultural: change in demographic or stakeholder interests.
- Technological: obsolescence or the cost of new opportunities.
- Legal: Regulations and laws.
- Environmental: Building standards, CSR and waste standards.
PESTLE is best used as a tool for analysing external risks
Identify what a ‘hybrid’ approach to the structure of risk management activities means.
A hybrid approach to the structure of risk management in an organisation would consist of a mix between firm wide policies set centrally, along with more specific risk management policies and procedures set locally for certain teams, departments and locations.
A centralised approach would be common risk management policies and procedures set at the head office and cascaded throughout the business.
Decentralised would be the local management of risk by team, location or department.
Identify one potential benefit from having a shared risk vocabulary across an organisation.
A shared risk vocabulary would provide consistent terms that can more easily be understood by stakeholders and avoid confusion.