Module 3: Risk Assessment Flashcards

Question 1

Q

What are the deliverables of risk management?

Answer

A

Risk registers
Risk matrices
Risk reports

Question 2

Q

How does the ISO 31000 risk management standard describe the process of risk management?

Answer

A

“The systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk”

Question 3

Q

What is the process for “Establishing the Context” set out by ISO 31000?

Answer

A

External context (what does world look like, what are drivers and trends)
⬇️
Internal Context (what are our objectives, capacity, business processes, how do we make decisions)
⬇️
Context of the risk management process (what is the process expected to achieve, who is responsible, what resources are required)
⬇️
Defining risk criteria (What determines whether risk is acceptable and if it should be controlled, how can we measure our total risks)

Question 4

Q

What risks can the external environment present?

Answer

A

Regulatory or legal requirements 
Societal conditions 
Political challenges 
Financial/ economic constraints 
Cultural restrictions 
Competition 
Environmental conditions

These can be international, national, regional or local.

Question 5

Q

How can stakeholder analysis help us to understand external risk sources?

Answer

A

Stakeholder analysis is often carried out during the development of a communications plan. It can provide focus on who may be affected by, or may perceive themselves to be affected by, or who may be interested in your organisation.

Question 6

Q

What are the internal sources of risk information

Answer

A

Historic risk information - usually found in previous risk registers or databases.

Historic results from performance indicators.

Audit or quality assurance outcomes.

Use of isomorphic learning from within the business (also external). This is the learning that can take place across a business sector. Risks that impact one department/ sector may also impact others.

Internal risk community groups.

Question 7

Q

What are the external sources of risk information?

Answer

A

External consultants.

External risk community groups.

Regional, national, or international professional bodies. E.g the IRM.

Industry focused or risk management specific media.

Government bodies and standards.

Question 8

Q

Define’Risk Source’

Answer

A

The ISO 31000 standard defines risk source as the ‘…element which alone or in combination has the potential to give rise to risk’ (ISO, 2018:2)

Question 9

Q

Why do people assume risk is a “hard discipline”

Answer

A

Risk is assumed to be a hard discipline because it involves statistics, analysis and a rigorous approach. However the reality is that risk is managed by people not process or techniques.

People also think risk is hard because because it is difficult to do, however when done properly it should be an easy and intuitive process.

Question 10

Q

Which professional bodies or industry bodies would be able to provide useful information to help with the risk assessment process?

Answer

A

Ensuring that you keep yourself informed of what is going on in your industry, sector, and organisation, will help you to recognise emerging risks that although affecting others currently, may affect you in the future.

Resources:
IRM
Lexology
ABI
BIBA

Question 11

Q

What does PESTLE stand for

Answer

A

Politics, Economic, Sociological, Technological, Legal, and Environmental (or Ethical)

Question 12

Q

What are the responsibilities of each stage of the 3 lines of defence model

Answer

A

Own - senior managers, employees

Advise - risk ma after, compliance

Assure - internal/ external audit

Question 13

Q

Why might a risk assurance model fail?

Answer

A

lack of board and senior management sponsorship and commitment
risk management framework not sufficient developed
different terminology and methods used by assurance providers
no one taking ownership
different self interests
lack of competency or skills amongst staff
timing of activities- risk management is not an overnight process
reluctance among some assurance providers / risk managers to share information

Question 14

Q

What are the top 10 priorities for risk management?

Answer

A

understand your stakeholder needs and expectations
validate the purpose and position of risk management
communicate with the ARC
facilitate positive change
drive efficiency
attract, retain and develop talented people
promote risk as a key element of good governance
focus on maturity levels and continuous improvement
add value and show this by measuring performance
link risk and assurance

Question 15

Q

PESTLE may be considered a risk classification system with a emphasis on hazard risk. What are the advantages of PESTLE?

Answer

A

simple framework
facilitates an understanding of the wider business environment
encourages the development of external and strategic thinking
anticipates future business threats
helps identify actions to avoid or minimise impact of threats
facilitates identification of business opportunities

Question 16

Q

What are the disadvantages of using the PESTLE analysis as a means of identifying risks?

Answer

A

can over simplify the amount of data used for decisions
needs to be undertaken on a regular basis to be effective
requires different people being involved with different perspectives
access to quality external data sources can be time consuming and costly
difficult to anticipate developments that may affect an organisation in the future
risk of capturing too much data that makes it difficult to see priorities
can be based on assumptions that subsequently prove to be unfounded

Question 17

Q

PESTLE classification system:

Define ‘Political’

Answer

A

Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability

Question 18

Q

PESTLE classification system:

Define ‘Economic ‘

Answer

A

Economic growth/ decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment, credit availability, cost of living etc

Question 19

Q

PESTLE classification system:

Define ‘Sociological’

Answer

A

Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming

Question 20

Q

PESTLE classification system:

Define ‘Technological’

Answer

A

Technology changes the impact your products or services, new tech, barriers to market entry, financial decisions like outsourcing and supply chain

Question 21

Q

PESTLE classification system:

Define ‘Legal’

Answer

A

Change to legislation that may impact employment, access to materials, quotas, resources, imports/ exports, taxation etc

Question 22

Q

Why is the inclusion of reputations risk in the FIRM risk scorecard not universally accepted?

Answer

A

It is sometimes argued that damage to reputation is a consequence of other risks materialising and should not be considered as a separate risk category.

Question 23

Q

What is the link between PESTLE and SWOT

Answer

A

It is often suggested that the PESTLE risk classification system should be used in conjunction with an analysis of the strengths, weaknesses, opportunities and threats (SWOT) facing an organisation. A SWOT analysis of each of the 6 PESTLE categories is recommended by the Orange Book

Question 24

Q

Why don’t the main risk management systems identify compliance risks?

Answer

A

Risks can be defined as hazard, control and opportunity, or they can be classified as long term, medium term or short term. If either of these classifications systems is used there is a possible that compliance risks will not be identified because they do not fit with a classification system based on timescales. A further difficulty with compliance risks is that there is often a requirement for a trigger event. An organisation can be exposed to a number of compliance risks but it may be difficult to identity the particular issue that will become a problem.

Question 25

Q

What are the advantages of having a risk classification system? (BS 3100)

Answer

A

Accumulations of risk that could undermine a key dependency or business objective can be identified
Responsibility for improved management of each different type of risk can be more easily identified/ allocated if risks are classified
Decisions and knowledge about the type of control(s) that will be implemented can be taken on a more structured and informed basis
Circumstances where the risk appetite of the organisation is being exceeded (or the risk criteria not being implemented) can be more easily identified

Question 26

Q

What does FIRM stand for

Answer

A

Financial
Infrastructure
Repetitional
Marketplace

Question 27

Q

FIRM risk scorecard

What is the measurement/ performance indicator for each of the FIRM attributes

Answer

A

Financial- usually quantifiable. Measured by gains and losses from internal financial control

Infrastructure- sometimes quantifiable. Level of efficiency in processes and operations

Reputation - not always quantifiable. Nature of publicity and effectiveness of marketing profile

Marketplace - quantifiable. Income from commercial and market activities

Question 28

Q

FIRM risk scorecard

What is the performance gap for each of the FIRM attributes

Answer

A

Financial - procedures - failure of procedures to control internal financial risks

Infrastructure- process - failure of processes to operate without disruption

Reputation- perception- failure to achieve the desired perception

Marketplace- Presence - failure to achieve required presence in the marketplace

Question 29

Q

What are the main risk classification systems?

Answer

A

COSO, IRM standard, BS31100, and FIRM risk scorecard.

Other commonly used risk classification systems that can be used to provide structure to a risk assessment are the SWOT and PESTLE analysis.

Question 30

Q

What are the classification headings for the main risk classification systems?

Answer

A

COSO - strategic, operations, reporting, compliance

IRM standard- Financial, strategic, operational, hazard

FIRM - financial, infrastructure, reputation, marketplace

Question 31

Q

What is the benefit of classifying risks as short, medium and long term?

Answer

A

Although not a formalised risk classification system, the classification of risks into short , medium, and long term helps to identify risks as being related (primarily) to operations, tactics, and strategy, respectively

Question 32

Q

What would be classified as a short term risk?

Answer

A

A short term risk has the ability to impact the objectives, key dependencies and core processes, with the impact being immediate. These risks can cause disruption to operations immediately when the event occurs. Short term risks are predominantly hazard risks.

Short term risks usually impact the ability of the organisation to maintain effective and efficient core processes that are concerned with the continuity and monitoring of routine operations. There is a need to mitigate short term risks.

Question 33

Q

What would be classed as a medium term risk?

Answer

A

A medium term risk has the ability to impact the organisation following a (short) delay after the event occurs. Typically the impact of a medium term risk would not be apparent immediately but would appear with a year, maximum, of the event. Medium term risks usually impact the ability of the organisation to maintain effective and efficient core processes that are concerned with the management of tactics, projects and other change programmes. These medium term risks are often associated with projects, tactics, enhancements and other developments. There is a need to manage these medium term risks.

Question 34

Q

What could be classified as a long term risk?

Answer

A

A long term risk has the ability to impact the organisation some time after the even occurs. This would typically be 1-5 years. These risks usually impact the ability of the organisation to maintain the core processes that are concerned with the development and delivery of effective and efficient strategy.

Question 35

Q

What is the purpose of the bow-tie illustration?

Answer

A

To demonstrate that sources of risk can lead to events that have consequences

Question 36

Q

How do we summarise the need to respond to risks according to whether they arise from strategy, tactics, operations, or compliance (STOC)?

Answer

A

EM3

Embrace, Manage, Mitigate & Minimise

Question 37

Q

What is the benefit of a a formalised risk classification system

Answer

A

Formalised risk classification systems enable the organisation to identify where similar risks exist within the organisation. Classification of risks also enables the organisation to identify who should be responsible for setting strategy for management of related or similar risks. Finally, appropriate classification of risks will enable the organisation to better identify the risk appetite, risk capacity and total risk exposure in relation to each risk, group of similar risks or generic type of risk.

Question 38

Q

What is at the centre of the bow tie illustration?

Answer

A

The event in the centre of a bow tie illustration lists the components of the organisation that is impacted by the event - 4p’s

People, premises, processes, and products

Question 39

Q

How are the impacts of a an event described in a bow tie illustration?

Question 40

Q

What are the sources of project risk?

Answer

A

The primary sources of project risk will include the following, but will vary depending on the project context such as the industry, location, and sector. There is no one size fits all.

Business environment 
Host industry
Sponsors organisation 
Business case
Project brief
User requirements 
Project team
Design, specification, layout
Internal approvals 
External approvals 
Change controls 
Procurement 
Implementation 
Testing and commissioning
Handover

Question 41

Q

What are the potential benefits of project risk management?

Answer

A

Supporting the business case
Increased chance of success 
Make objectives clear/ prioritised 
Procurement will reflect risk appetite 
Forces team to think collaboratively 
Validated funding requirements 
Protects reputation 
Improving accountability/ decision making
Better understanding of legal requirements 
Improved integration into operations

Question 42

Q

What is the difference between a PEST and a SWOT analysis?

Answer

A

A PEST analysis measures a market, a SWOT analysis measures a business unit, a proposition or an idea.

PEST only covers environmental analysis, whereas SWOT considers both company (internal) and environmental (external) analysis.

Question 43

Q

What can a SWOT analysis be used for?

Answer

A

A SWOT analysis can be used to draw out the risks and opportunities facing an enterprise and has the advantage of being quick to implement and easily understood. Analysis of SWOT brings together the results of analysis of the company (internal) and environment (external).

SWOT is good because it stimulates thinking that is not overly structured or restrictive.

Question 44

Q

What might supervisory authorities expect an operationally resilient firm to have in place?

Answer

A

A clear understanding of most important business services.

A comprehensive understanding and mapping of the systems and processes that support these services, including those over which the firm might not have direct control.

Knowledge of how a failure in one area could impact other areas.

Knowledge of which systems or processes could be substituted.

Tested continuity plans.

Effective internal comm plans.

Effective escalation procedures.

Specific external comm plans including information for customers.

Question 45

Q

Why is it important to plan on the basis that operational disruptions will occur?

Answer

A

It is not possible to prevent every risk materialising, and dependencies are often only identified once something has gone wrong.

Question 46

Q

Why might priorities between firms and supervisory authorities not be aligned?

Answer

A

Supervisory authorities may believe that a disruption to a business service would harm their objectives, while a firm might consider any disruption to be a manageable risk.

Question 47

Q

What do supervisory authorities consider to be the most effective focus for managing operational resilience?

Answer

A

Supervisory authorities consider that managing operational resilience is most effectively addressed by focusing on business services rather than on systems and processes. Firms are more likely to be operationally resilient if they design and manage their operations on the assumption that disruptions will occur

Question 48

Q

Under requirements such as Internal Capital Adequacy Assessments and Risk Control, boards and senior management should be able to articulate the circumstances which may lead to the firms failure, develop their own risk appetites, and oversee delivery of risk mitigation. What should this include?

Answer

A

An assessment of the adequacy of a firms operational resources to maintain resilience, relevant to the firms ability to remain viable.

Effective risk management of their organisation, people, processes and technology assets, all of which support the continuity of business service delivery during operational disruptions

Question 49

Q

What kinds of harm could arise from operational resilience failures?

Answer

A

Disruption to supply of new business services - applications are rejected and delays occur.

Availability and integrity of existing business services - customers unable to access services e.g. unpaid bacs could lead to fees and impact on credit ratings.

Availability of a vital link in the value chain- a custody bank which is unable to confirm ownership of assets could delay asset valuations.

Unauthorised access to market sensitive data

Question 50

Q

What are the potential benefits of setting impact tolerances?

Answer

A

The supervisor authorities consider that setting impact tolerances for the most important business services could:
A) support firms and markets in prioritising investments and resources
B) provide a clear scope when firms and markets want to test their own resilience
C) provide a focus for supervisory engagement
D) consider substitute options more broadly

Question 51

Q

What FCA rules and guidance are relevant to a firms operational resilience?

Answer

A

The FCA principles - at a high level, the FCAs Principles for business set out general statements on the fundamental obligations for firms and includes “a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”.

Threshold Conditions - represent the minimum conditions which a firm is required to continue to satisfy to be given and retain permission to carry on regulated activities under part 4A FSMA.

COND - provides guidance on how the FCA will approach its assessment of applicable threshold conditions. Of particular relevance is the FCAs assessment of the risks to the continuity of the services under the appropriate non-financial resources threshold condition COND 2.4.4G

SYSC - includes rules and guidance about risk management and risk centric governance arrangements

Many of these derive from EU law such as the markets in financial instruments directive.

Question 52

Q

What do the FCA rules say about operational risk management?

Answer

A

SYSC 4.1.1R: “A firm must have robust governance arrangements, which includes a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to”

SYSC 4.1.6R to 4.1.7R: sets out rules relating to business continuity for common platform forms, CRR firms and management companies.

SYSC 7.1: includes further provisions on risk for certain firms.

SYSC 21.1: provides guidance on risk-centric governance arrangements, including guidance on whether a CRO should be appointed and governing body risk committee established.

SYSC 13: sets out detailed guidance for insurers about management of operational risk.

Question 53

Q

What are the supervisory authorities objectives relating to operational resilience?

Answer

A

The bank has an objective to protect and enhance the stability of the financial system of the UK.

The bank sets out in its Financial Stability Strategy that financial stability is the consistent supply of the vital services that the real economy demands from the financial system. These vital devices include providing the mechanism for paying for goods, services and financial assets, and intermediating between savers and borrowers and insuring against and disputing risk.

The bank seeks to ensure markets are designed and operated in a safe way to reduce risk in vital payment and clearing arrangements and the banks operation of the real time gross settlement (RTGS) service and Clearing House Automated Payment system CHAPs) supports this.

The PRA and FCA objectives are also defined in the financial services and Markets Act (FSMA). They seek to promote safety and soundness of firms, provide protection for consumers, and promote competition.

Question 54

Q

What do regulators expect from firms regarding impact tolerances?

Answer

A

Supervisory authorities envisiage that firms can determine their own impact tolerances, explaining their own how their impact tolerance has been arrived at for important business services, how it relates to regulatory objectives and in which scenarios a breach of the impact tolerance could be accepted. These are likely to be limited to the most severe but plausible scenarios.

Impact tolerances would need to be expressed clearly and would be separate from any risk appetite or recovery time objectives (RTO). Impact tolerances express an upper limit where a breach is to be avoided in all but the most extreme scenarios. Risk appetite and RTOs on the other hand tend to express a desired outcome that is achieved with high probability. The regulators anticipate that firms will be able to explain the relationships between impact tolerances, risk appetites and RTOs.

An example of an impact tolerance in practice: the bank sets a time and volume based impact tolerance as operator of CHAPs. The Bank states that all payments (volumes) should be settled by the end of the day (time) in all, even extreme, circumstances.

Question 55

Q

How would you describe a risk using metalanguage?

Answer

A

A three part structures description of a risk that separates cause, risk and effect, in the form:

As a result of a , may occur, which would lead to .

Understanding cause and effect allows the grouping of risks in the assessment step. Cause and effect information can also assist when planning responses.

Question 56

Q

Explain the issues in trying to be comprehensive in identifying risks.

Answer

A

We cannot foresee everything that might happen.

Joharo window.

There will always be risks that we have not identified but risk identification process should minimise these.

Question 57

Q

Describe four risk identification tools and techniques.

Answer

A

Brainstorming through structured risk workshops which produces a large number of ideas. Group thinking is more productive than individual thinking.

Delphi - a systematic collection and coalition of judegements from subject experts.

Structured or semi-structured interviews.

SWOT analysis.

Question 58

Q

Explain the key skills of a risk facilitator in implementing risk identification.

Answer

A

Some of the key skills of a facilitator include:
Being able to work with large and increasingly diverse groups, working face to face or virtually, dealing with conflict, sustaining participation, guiding groups to outcomes.

Question 59

Q

How should risks initially be prioritised?

Answer

A

The prioritisation I’d identified risks should initially by undertaken through qualitative rating.

The highest priority risks cannot be identified until all risks have been identified. We then need to assess the likelihood (probability, chance or frequency) of occurrence and the effect (consequence , severity* or impact) it would have should it occur.

Wording is key and should be consistent. The term severity is only used in relation to threats.

Question 60

Q

What are the pros and cons of quantitative analysis?

Answer

A

Quantitative analysis is not a precise science as it is based on subjective estimates however it can be helpful to articulate perceptions of likelihood and impact in order to aid decision making and to provide a framework for thinking about the problem.

Decision making becomes ‘tighter’ as soon as the risks are quantified and the assessment is progressively refined as more information becomes available.

Question 61

Q

How can you lessen the impact of subjectivity in risk rating?

Answer

A

Qualitative risk analysis is a subjective task which can be influenced by the priorities and knowledge of those involved - people have different opinions of what is high, medium or low impact based on their experience and culture (human factors).

Objectivity is added to prioritisation process to ensure a consistent rating is used which is understood by all involved, and which provides a priority for risks in a ‘holistic, non-prejudiced manner’ (Hillson & Simon, 2012). This can be done by introducing and analysis scheme where likelihood and impacts are given values. There is a standard 5 point scale for both likelihood and impact, although some organisations use a 3 point, or even a 7 point scale.

Question 62

Q

What is the purpose of P-I scales?

Answer

A

The purpose of probability - impact scales is to determine if a risk matters or not in relation to our objectives.

Question 63

Q

Why is it important to set percentage ranges correctly?

Answer

A

A low upper range will result in more ‘top’ risks being prioritised.

Ranges should be used instead of single point estimate, otherwise the upper and lower points will be fixed beyond the point at which you are not expecting any risk to occur.

Ranges should not be used for health and safety risks - cannot grant a range of acceptability to someone dying!

Hopkin (2018) considers where risks may occur more than once within the timeframe set, which means that percentage ranges may not be relevant for the likelihood scale. Some risks are better described using frequency, especially if they may occur more than once.

Question 64

Q

Define frequency in the context of likelihood.

Answer

A

Hills on and Simon (2012) define frequency as “a measure of likelihood for a specific risk that could occur repeatedly over a given period of time or in a given number of trials. Frequency of occurrence is usually expressed as a number of occurrences per unit of time or per total number of trials.”

Answer 64

A

One off events can be discussed with frequency ranges and risks that may occur more than once should be given frequency ranges.

Answer 65

A

Risk appetite is defined by the IRM as “the amount of risk an organisation is willing to seek or accept in persuit of its long term objectives”.

Risk appetite relates to the risks you want to take, within the boundaries of a tolerance of risks you don’t want to take. This needs to be set in the context of risk capacity, defined by Hollson and Murray-Webster as “the ability of an organisation to bear risks, quantified against objectives“.

Answer 66

A

Risk tolerance is defined as “the boundaries of risk taking outside of which the organisation is not prepared to venture in persist of its long term objectives”

Answer 67

A

Risk appetite tends to be descriptive but express a range of performance that is acceptable around each objective. Objectives therefore need to be described in a measurable way I.e using a performance indicator which can include the best tolerable result.

In most cases the medium impact scale will represent either the worst tolerable threshold (for threats) or the best realistic threshold (for opportunities) and these will be within risk appetite.

Answer 68

A

No. Risk appetite may change over time due to external factors, however if the impact scales change it will be difficult to undertake comparisons between risks over time because the measurement has altered.

Answer 69

A

Cause and effect (also called fishbone or Ishikawa) diagram - this does not have a statistical basis but is excellent for uncovering the sources of a risk and mapping relationships. Simple and adaptable, this diagram is commonly developed in brainstorming sessions. The diagram is commenced by writing the potential effect on the far right side and adding risk events as bones attached to the backbone ‘arrow’.

Answer 70

A

They provide a framework for discussion of interdependencies of decisions and events and the management of the problem without requiring and formal mathematical, probabilistic or statistical notation.

They provide a significant contribution towards reducing large volumes of data to their essential parts.

They can provide a degree of sensitivity analysis to show how much influence particular decisions or uncertain events have upon outcomes.

Answer 71

A

ISO 31000 defines consequence as the “outcome of an event affecting objectives’.

Answer 72

A

ISO guide 73 defines probability as the measurement of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossible and 1 is absolute certainty (2009).

Answer 73

A

Pareto Analysis is the simple process of ranking or ordering risks once they have been assessed to determine the order in which they should be managed.

Once the risks have been ranked they can be expressed pictorially as a bar chart with most frequently occurring cause appearing first on the left. This is known as a Pareto diagram (available in excel).

Commonly Pareto diagrams reveal that 20% of risks within an analysis contribute to over 80% of risk exposure, following the 80/20 rule or Pareto principle. The “vital few and trivial many”.

Answer 74

A

Inherent risk is defined in BS 31100 as exposure arising from a specific risk before any action has been taken to manage it (2011)

Answer 75

A

Residual risk is defined in BS31100 risk remaining after risk treatment.

Answer 76

A

Strategic impact
Manageability
Impact window/ proximity/ velocity

Answer 77

A

The period of time when effective action can be taken is another important factor when assessing a risk. The urgency of addressing a risk might increase its priority. Impact and action windows are often presented on an overlay chart indicating risks with high proximity and urgency.

Answer 78

A

Organisations should express their risk appetite through the impact scales used to measure risks.

Risk appetite is most usefully expressed as a threshold around target objectives.

Objectives therefore need to be described in a measurable way.

Impact scales should be developed so that even if the organisations appetite, and therefore, thresholds change, the impact scales should still accommodate those changes.

Answer 79

A

A risk bow tie is used to map out the progression of a risk from underlying cause to risk event to effect. In the middle the knot of the bow represents an event which the potential to affect the achievement of objectives.

The left half of the bow tie represents the underlying conditions or causes, the right represents what unfolds after the event occurs, including any modifying capabilities that are in place and the effects of the event upon objectives.

Answer 80

A

Risk identification
Risk analysis
Risk evaluation
Decision making

Answer 81

A

To help managers understand the risks they are taking.

To help managers be clear that the rewards are commensurate with these risks.

To help managers work more effectively with their partners on risk management, risk sharing and risk allocation, at the right price.

Answer 82

A

“The process of collecting, measuring, recording, and communicating financial information about a business to those who need that information to help them manage the business, or make other decisions about their engagement with the business “ - Lymer and Azmat, 2010

Answer 83

A

In double-entry book keeping the financial value of all purchases of credit items (what you owe to other parties/creditors) and the sales items to customers (what is owed to you by other parties - referred to as debtors) are recorded.

This information is essential in understanding a firms ability to bear risk and its risk appetite. As accounts are usually balanced monthly any changes can affect risk appetite at any given time.

A firms annual accounts can help you to understand the values at risk.

Answer 84

A

A balance sheet is a financial statement that shows what a business is worth at a point in time. A standard balance sheet has thee parts: assets, liabilities and ownership equity or capital. These three segments give an idea of what the company’s owns and owes, as well as the amount invested by the shareholders.

Answer 85

A

ISO 31000 defines risk evaluation as the process of comparing the results of risk analysis with the established risk criteria to determine the significance of risk. (ISO, 2018: 13)

Answer 86

A

These methods have historically fallen within two camps. Health/safety and environment based, such as Failure Mode Effect Analysis (FMEA) and root cause analysis such as Monte Carlo simulation or Bayesian statistics.

Answer 87

A

Reliability model- not often used in business but used for binary situations (fault and effect trees)

Cost models - most common modelling for risk assessment.

Schedule modules - considered essential for project management.

General models- influence diagrams, Bayesian networks and decision trees.

Answer 88

A

Whether all identified risks need to be costed.

Whether the risks should be transferred to another party.

Whether the risk can be managed and the only costs are of actions to manage it.

Whether the impact is lessened already by contingency plans.

Answer 89

A

The Monte Carlo stimulation technique may be helpful when dealing with a large set of possibilities. Monte Carlo generates possible scenarios which are weighted by the probability of their occurrence. This each risk can be represented by a probability distribution rather than a single value. The objectives is to calculate the combined impact.

Answer 90

A

Reliability model - not often used in business but more in relation to binary situations, when something happens or not, such as fault and event trees

Cost models - most common modelling for risk assessment

Schedule models - considered essential for project management

General models - models related to, but separate from the others, including influence diagrams, Bayesian networks and decision trees

Answer 91

A

The definition of probability is given in ISO guide 73 as the measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossible and 1 is certain.

Answer 92

A

Hopkin (2018) uses the term impact “to define how the event affects the finances, operations, reputation and/or marketplace (FIRM) of the organisation”.

Answer 93

A

There are three extreme value statistical distributions:
Gumbal
Fréchet
Weibull

In practice this kind of risk is usually managed to ensure that it is insured, excluded or transferred, rather than included in a quantitative assessment

Answer 94

A

Qualitative analysis does not always provide sufficient information to help with risk based decision making. Quantitative analyses helps us to fully understand the potential impact and the cost benefit analysis. As Garlick (2007) notes, we undertake quantitative analysis to help managers understand the risks they are taking, be clear that the rewards are commensurate with these risks, work more effectively with other parties.

Answer 95

A

Before embarking on any modelling it is necessary to first consider:
Whether all identified risks need to be costed (financial or time based)
Whether the risk should be transferred
Whether the risk can be managed
Whether the impact is lessened by existing contingency plans

4Ts

Answer 96

A

Many different parties will have a reason to want to review a firms financial statements such as a bank deciding to offer a loan, or employees evaluating prosperity. Some of the things it might be helpful to look at are:

Gross profit and mark up percentages - wide variations between periods might indicate a problem

Rate of stock turnover

Liquidity rations - ability of firm to pay debts as they become due.

Gearing ratios - describing the mix of loan finance and equity finance. The money invested from borrowed and non-borrowed funds, where a high gearing percentage indicated exposure to financial risk, and interest changes will have to be paid as well as the loan when it is due.

Answer 97

A

Most risks have some relationships with other activities or risks. Most have some measure of interdependency and will follow the basic concepts of the use of probabilities such as the complement of an event, conditional probability, additional rules, intersecting events, joint probabilities and multiplication laws.

Some risks can occur instead of other risks. In some cases one event can only occur when another event has already occurred (conditional probability).

Bayes’ theorem can be used to explain how probabilities can be revised when new information is obtained.

Answer 98

A

There are several concerns regarding quantitative analysis. Risks are uncertain future events, which we are thing to put quantities too. When trying to allocate quantities to risk, we should remember that the allocation is an estimate with which we are trying to predict the future. It is essential to spend time ensuring the data that underpins these estimates is as relevant and as accurate as possible, otherwise quantitative assessment will be considered to be not only objective but correct.

Garlick (2007) considers three risks in terms of quantification:
Systematic underestimation it cost and time to carry out activity
Systematic underestimation of management resources and managerial talent to achieve objectives
The essential unpredictability of the future environment

Answer 99

A

Distribution graph and cumulative graph.

The distribution graph identifies the number of time’s something occurred within a range during a simulation. It can highlight anomalies. Low probability/ high impact risks can skew the graph and give a two hump graph where event falls outside main bell shaped curve. These risks should be separated and managed in a different way.

The cumulative graph can be derived from the frequency distribution by summing up the frequencies for all values up to and including the value for which the cumulative frequency is required, thus giving a running total which produces a line graph or an s curve.

Answer 100

A

6 rugby players sat on a bench.

Who - stakeholders/ target audience
What - information required 
Why - what information is used for
Where - depository of information 
When - one off? Level of frequency? 
How - format e.g. risk register 
Who by - who is responsible for producing and delivering the information

Answer 101

A

The risk register can hold a great deal of information generated through risk assessment, risk treatment, and monitoring and reviewing, including: risk categories, causes, risks, effects, likelihood, impact, probabilities, cost and schedule ranges, risk owner, existing controls, response strategies, detailed actions, action owners, action review dates, additional likelihood, impact, and risk levels for inherent, residual or target ratings.

Answer 102

A

Monte Carlo is a technique used to understand the impact of risk and uncertainty in financial, project management, cost, and other forecasting models.

A Monte Carlo simulator helps one visualise more or all of the potential outcomes to have a better idea regarding the risk of a decision.

Cabs be used for claims reserving e.g estimating amount lost in a one in two hundred year event. See SCR.

Answer 103

A

Net Present Value addresses:
•the timing of the cash flows.
• the whole of the relevant cash flows, irrespective of when they are expected to occur.
• the objectives of the business and shareholders. Positive NPVs enhance wealth, negative ones reduce it.

Brainscape's Knowledge GenomeTM

Module 3: Risk Assessment Flashcards

Brainscape's Knowledge Genome^TM