Module 2 - Unit 3 - Risk Culture, Appetite, and Tolerance Flashcards
What is risk culture?
Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation
Outline the IRM’s ABC approach to risk culture.
The Culture of a group arises from the repeated Behaviour of its members. The Behaviour of the group and its constituent individuals is shaped by their underlying Attitudes. Both Behaviour and Attitudes are influenced by the prevailing Culture of the group.
- Risk attitude is the chosen position adopted by an individual or group towards risk, influenced by risk perception and pre-disposition
- Risk behaviour comprises external observable risk-related actions, including risk-based decision-making, risk processes, risk communications etc.
- Risk culture is the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation.
What is necessary for a good risk culture?
- Good communication of the organisation’s expectations of all staff – this could be through policies, presentations, staff newsletters, induction processes, written documents, posters and job descriptions.
- Convincing employees that they will personally benefit from good risk management practices.
- Involvement in the risk identification process to achieve greater buy in.
- Training programmes that instil the right practices and knowledge.
- Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employees.
What are the steps for successful ERM implementation?
- Engage senior management and board of directors to provide organizational support and resources.
- Establish an independent ERM function reporting directly to a board member.
- Establish the risk architecture at executive and board levels, supported by internal audit.
- Develop the ERM framework that incorporates an appropriate risk classification system.
- Develop a risk aware culture fostered by a common language, training and education.
- Provide written procedures with a clear statement of the risk appetite of the organization.
- Agree monitoring and reporting against established objectives for risk management.
- Undertake risk assessments to identify accumulations and interdependencies of risk.
- Integrate ERM into strategic planning, business processes and operational success.
- Contribute to the success of the organization by delivering measurable benefits.
What does LILAC stand for? Briefly outline each element.
Leadership - Strong leadership within the organization in relation to strategy, projects and operations
Involvement - Involvement of all stakeholders in all stages of the risk management process
Learning - Emphasis on training in risk management procedures and learning from events
Accountability - Absence of an automatic blame culture, but appropriate accountability for actions
Communication - Communication and openness on all risk management issues and the lessons learnt
What are the four N’s of risk culture and how do they relate to the FOIL characteristics?
Naïve - Fragmented - Risk management activities are fragmented and focused on legal compliance activities, such as health and safety
Novice - Organised - Actions are planned to co-ordinate risk management activities across all types of risk, although plans may not have been fully implemented.
Normal - Influential - Embedded ERM processes are influencing processes and management behaviours, but this may not yet happen consistently or reliably.
Natural - Leading - Consideration of risk is a substantial factor in making business decisions and decisions about strategy are led by ERM considerations.
What are risk appetite and risk attitude?
Risk appetite is the immediate or short-term willingness of an organization to undertake an activity that involves risk.
Risk attitude and the risk criteria represent a longer-term view of risk in the same way as a person will have an immediate appetite for food and a longer-term attitude towards food.
What are the disadvantages of a Total Cost of Risk calculation approach?
Disadvantages of the TCOR calculation:
- It depended substantially on historical information. Historical loss data is not necessarily a good guide to future loss performance.
- It encouraged organizations to seek the lowest overall cost for the management of hazard risks. Unfortunately, this lowest cost approach often proved to be a mistake when a major incident occurred.
- Whilst it could represent the lowest cost for the management of hazard risks, that might be achieved at a high overall risk position. It is worth noting that the purchase of too much insurance could represent a position for the organization that is the lowest risk position but achieved at a high overall cost.
What are some potential triggers for risk management training?
Examples of when to undertake risk training:
- When a manager is newly appointed or has been given new or additional responsibilities.
- When an individual member of staff has been given a new role and/or procedures have been updated.
- Following a recent incident or loss at the organization or at a competitor’s premises or location.
- On a refresher basis – and this may be a legal requirement in certain circumstances.
What are the key guidelines for risk communication?
Risk communication guidelines
- Know the stakeholders, by identifying both external and internal stakeholders and finding out their interests and concerns
- Simplify the language and presentation, although not the content if complex issues need to be communicated
- Be objective in the information provided and differentiate between opinions and facts
- Communicate clearly and honestly, taking account of the level of understanding of the audience
- Deal with uncertainty and discuss situations where not all information is available and indicate what can be done to overcome these problems
- Be cautious when putting risks in perspective, although comparing an unfamiliar risk with a familiar one can be helpful
- Develop key messages that are clear, concise and to the point, with no more than three messages communicated at any one time
- Be prepared to answer questions and agree to provide further information if it is not currently available
\What types of information can be handled, stored, managed, distributed and communicated using a risk management information system (RMIS)?
The following types of information may be handled, stored, managed, distributed and communicated using a risk management information system (RMIS):
- Risk management policy and protocols
- Risk profile data, values and information
- Emergency contact arrangements and contact details
- Insurance values and cost of risk data Insurance claims handling and management protocols
- Historical loss/claims experience/information Insurance policy coverage and other information
- Risk management action plans (risk register)
- Risk improvement plans and implementation
- Business continuity plans and responsibilities
- Disaster recovery plans and responsibilities
- Corporate governance arrangements and reports
What skills are required of a risk manager?
Two areas of technical skills are required by a risk practitioner:
• Competency across a range of risk management issues and activities.
• Business skills in order to understand the external context and internal context within which the organization operates.
Skills associated with planning risk management strategy
• Evaluate status - Evaluate the organizational context and objectives and map the external and internal risk context
• Develop strategy - Develop risk strategy and risk management policy and develop the common language of risk
Skills associated with implementing a risk management architecture
• Design architecture - Design and implement risk management architecture, roles and responsibilities
• Develop processes - Develop and implement the risk management processes, procedures and protocols
• Build awareness - Build a culture of risk awareness aligned with other management activities
Skills associated with measuring risk management performance
• Facilitate assessments - Facilitate the identification, analysis and evaluation of risks, and design record-keeping procedures
• Evaluate controls - Evaluate existing performance and evaluate efficiency and effectiveness of existing controls
• Improve controls - Facilitate the design and implementation of necessary and cost-effective control improvements
Skills associated with learning from risk management experience
• Evaluate framework -Evaluate risk management strategy, policies and processes, and introduce improvements
• Design reports - Develop understanding of reporting requirements, design reporting formats and produce appropriate reports
People skills that are required in the business environment can be classified as communication, relationship, analytical and management (CRAM) skills.
What are the 5 C’s of communication?
When communicating a message, it is useful to think about the ‘5Cs’ of communication. The message should be clear, concise, coherent, credible and complete:
- Clear message will ensure that the recipient understands your purpose in communicating with them;
- Concise message is more likely to be received because you have stuck to the point and kept it brief;
- Coherent message is logical with all the points being connected and relevant to the main topic;
- Credible message will convince the audience that you understand their concerns and priorities;
- Complete message provides the audience with everything they need in order to take necessary action.
