ORA RM QUIZ 2 (M1 - M2) Flashcards
According to _____, risk is:
A chance or possibility of danger, loss, injury, or other adverse consequences.
Oxford English Dictionary
According to _____, risk is:
An effect of uncertainty on objectives, which may be positive, negative, or a deviation from the expected. It is often described by an event, a change in circumstances, or a consequence.
ISO Guide 73 ISO 31000
note
3 TYPES = POSITIVE , NEGATIVE, DEVIATION from expecttation
According to _____, risk is:
The combination of the PROBABILITY of an event and its consequence, which can range from positive to negative.
Institute of Risk Management (IRM)
note:
PROBABILITY
According to _____, risk is:
Uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of potential events.
Orange Book from HM Treasury
NOTE:
no mention of positive or negative
According to _____, risk is:
The uncertainty of an event occurring that could have an impact on the ACHIEVEMENT of the objectives and is measured in terms of consequences and likelihood.
Institute of Internal Auditors
According to _____, risk is:
An event with the ability to impact (inhibit, enhance or cause doubt about) the effectiveness and efficiency of the core processes of an organization.
Hopkin, Paul (2018). Fundamentals of Risk Management (5th Edition)
note:
management focused
t or f
Risk may be considered to be related to an opportunity or a loss or the presence of uncertainty for an organization.
T
t or f
Every risk has its own characteristics that require particular management or analysis.
t
An event or anything that will prevent the organization from achieving its business objectives or the
effective execution of its strategies to achieve those objectives.
These are uncertainties that can be obstacles preventing the company from attaining its desired
outcome. A desired outcome usually provides the company the opportunity to create value for its
various stakeholders.
▪ Accordingly, companies take risks when they see that there are opportunities that they want to seize
and, to some extent, exploit to create value.
Business Risk
What 4 are attributes of Business Risk
– Uncertain
– Emerging
– Associated more with intangibles (Tangible / Intangible)
– Sources (Internal / External)
note:
(Internal sources of risks: People, processes, technology, governance, and policy are much
EASIER to manage because these are usually within the control of management)
(External sources of risks, such as laws and regulations, market dynamics, and natural disasters, pose challenges to the company, as these are usually BEYOND the control of the organization)
What are 4 risk classifications system
According to:
- the nature of the attributes of the risk, such as timescale for impact, and the nature of the impact and/or likely magnitude of the risk.
- the timescale of impact after the event occurs.
- the source or origin of the risks.
- the nature of the impact of the risks.
what are 3 types of risk?
– hazards (or Pure) Risks (AKA absolute risk)
– Control (or UNcertainty) Risks
– Opportunity (Or Speculative) Risks
One of the types of risks
■Best and the longest-established branch of risk management.
■ Associated with a source of potential harm or a situation with the potential to undermine objectives in a negative way.
■ The most common risks associated with organizational risk management, including occupational health and safety programs.
– hazards (or Pure) Risks (AKA absolute risk)
One of the types of risks
■ Associated with unknown and unexpected events.
■ Sometimes referred to as extremely difficult to quantify.
■In this risk, it is known that the events will occur, but the precise consequences of those events are difficult to predict and control.
– Control (or UNcertainty) Risks
One of the types of risks
- This type of risk is often associated with project management.
– Control (or UNcertainty) Risks
One of the types of risks
■ May not be visible or physically apparent, and they are often financial in nature.
■ Although this risks are taken with the intention of having a positive outcome, this is not guaranteed.
■ this risks are for small businesses include moving a business to a new location, acquiring new property, expanding a business and diversifying into new products.
- Opportunity (or speculative) Risks
What are two main aspects of opportunity risks:
(1) risks/dangers associated with taking an opportunity
(2) risks associated with not taking the opportunity.
(Long, Medium, Short) Term Risks?
- are risks that will impact an organization several years, perhaps up to five years, after the event occurs or the decision is taken.
■ they relate to strategic decisions such as the risk associated with launching a new product.
Long Term
(Long, Medium, Short) Term Risks?
are risks that will impact an organization several years, perhaps up to five years, after the event occurs or the decision is taken.
■ they relate to strategic decisions such as the risk associated with launching a new product.
Medium term
(Long, Medium, Short) Term Risks?
■ risks have their impact immediately after the event occurs.
■ accidents at work, traffic accidents, fire and theft are examples of short-term risks that have an immediate impact and immediate consequences as soon as the event has occurred.
■they cause immediate disruption to normal efficient operations and are probably the easiest types of risks to identify and manage or mitigate.
Short term
It refers to the chances of an unlikely event happening, in risk management literature, the word “probability” will often be used to describe the likelihood of a risk materializing.
likelihood
It is the impact of the risk and can be considered as its gross or inherent level before controls are applied.
magnitude
it is a tool used to plot the nature of individual risks so that the organization can decide whether the risk is acceptable and within the risk appetite and/or risk capacity of the organization. It provides a visual representation of risks. It can also be used to indicate the likely risk control mechanisms that can be applied and to record the inherent, current (or residual), and target levels of the risk.
Risk Matrix
read only:
- Hazard risks undermines objective or may impede or prevent the achievement of the company’s objectives.
- Hazard risks when they materialize, will have a large impact on the organization such as potential financial costs, destruction of infrastructure, damage to reputation and the inability to function in the marketplace.
- Compliance risks can be substantial for many organizations, failure to achieve the level of compliance activities required by the relevant regulating body can have a significant impact on the reputation of the organization and substantial consequences for routine business activities.
- Risks can also impact the key dependencies that deliver the core processes of the organization.
- Risks are taken by organizations to achieve rewards.
.
Strategic / Tactical / Operational ?
set the future direction of the business
Strategic decisions
Strategic / Tactical / Operational?
concerned with turning strategy into action by
achieving change
Tactical
Strategic / Tactical / Operational?
Related to the day-to-day operations of the
organization, including people, information security, health and safety, and business continuity
Operational
Risk management according to ______
- Coordinated activities to direct and control an organization with regard to risk.
ISO Guide 73 ISO 31000
note: CONTROL
Risk management according to ______
A process that aims to help organizations understand, evaluate, and take action on all their risks with a view to increasing the PROBABILITY of success and reducing the likelihood of failure
Institute of Risk Management (IRM)
NOTE: PROBABILITY
Risk management according to ______
All the processes involved in identifying, assessing, and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.
HM Treasury
Risk management according to ______
■ Selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce risk.
London School of Economics
NOTE:
AVOID MITIGATE AVOID REDUCE / NEGATIVE WORDS
Risk management according to ______
The set of activities within an organization that are undertaken to deliver the most favorable outcome and reduce the volatility or variability of that outcome.
Hopkin, Paul (2018). Fundamentals of Risk Management (5th Edition). Kogan Page: London
NOTE:
volatility / favorable
Risk management according to ______
A process that identifies loss exposures faced by an organization and selects the most appropriate techniques for treating such exposures.
Rejada, George (2017). Principles of Risk Management and Insurance (13th Edition) Pearson Education Ltd., England\
NOTE:
EXPOSURE
Fill in the blank
RM as a discipline has been around for at least _____ years. The early origin of risk management is in the specialist activity of ________. Risk control standards increased, especially in relation to the insurance of _____ being transported by ships around the world.
100 years
insurance
Cargo
_____ is one of the earliest development in the field of RM that determined the level of cargo that a ship could safely transport without being dangerously overloaded.
Plimsoll line
■ The development of education and qualifications in risk management, as well as the more structured approach of regulators, led to the emergence of risk management standards such as the _____________, one of the early examples of a comprehensive approach to the management of risk.
AS/NZS 4360:1995
In the 1960s and 1970s, there were considerable developments in the risk management approach adopted by __________ and __________.
occupational health and safety practitioners
■In the 1980s, the application of RM techniques to project management developed substantially as well as in ___ and ____ risks.
market and credit1
In the 1990s, financial institutions broadened their RM initiatives to include operational risks, greater emphasis on ________, & the 1st appointment of a Chief Risk Officer
Enterprise Risk Management (ERM)
■During the ____, financial services firms started to develop internal risk management systems and capital models.
■During the _____ financial crisis, the contribution of RM to corporate success had been questioned because it was not able to prevent the financial crisis.
2000
2008
4 Benefits of Risk management
___________ - compliance refers to risk management activities designed to
ensure that an organization complies with legal and regulatory obligations
__________ – the Board of an organization will require assurance that
significant risks have been identified and appropriate controls put in place.
________- In order to ensure that correct business decisions are taken, the
organization should undertake risk management activities that provide
additional structured information to assist with business decision making.
__________– enhance the efficiency of the operations;
help ensure that business processes are effective; strategy is efficacious, in
that it is capable of delivering exactly what is required.
CADE3
Compliance
Assurance
Decisions
Efficiency/Effectiveness/Efficacy
9 Specialist Areas of Risk Management
- Health and safety at work
- Quality Management
(insert field) Planning
- Disaster recovery planning
- Business continuity planning
(Insert field) Risk Management
- Project Risk Management
- Clinical/medical risk management
- Energy risk management
- Financial risk management
- IT risk management
IN ORDER
What are the RISK MANAGEMENT PROCESS (7Rs) (4Ts)
– Recognition of Risks
– Ranking of Risks (Magni and Likeli)
– Responding to risks
—- Tolerate
—- Treat
—- Transfer
—- Terminate
– Resourcing Controls (sustain control and ensure adequate arrangements)
– Reaction Planning (eg. Disaster recovery / Continuity planning)
– Reporting on Risk
– Reviewing and Monitoring
5 Principles of Risk Management (Module 1)
— Proportionate
— Aligned
— Comprehensive
— Embedded
— Dynamic
PACED
Format for basic risk register
(State all columns involved)
- Risk Index
- Risk Description
- Current level of risk (likeli, Magni, overall rating)
- Controls in Place
Sets out the overall approach to the successful management of risk, including a description of the risk management process, together with the suggested framework that supports that process.
■ The combination of a description of the risk management process, together with the recommended framework.
Risk Management Standard
____ is one of the most popular standards of ISO (International Organization for Standardization), an independent, non-governmental international organization with a membership of 167 national standards bodies.
ISO 31000 Standard
In the Philippines, the ISO member body is the
_____________
BPS (Bureau of Philippine Standards)
ISO 31000 Standard is composed of 3 parts which are
■ ISO 31000:2018 (RM Guidelines)
■ IEC 31010: 2019 (RM Risk Assessment Techniques)
■ ISO GUIDE 73: 2009 (RM Vocabulary)
- Provides guidelines on managing risk faced by organizations.
■ Provides a common approach to managing any type of risk and is not industry or sector specific.
■ Can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels.
ISO 31000:2018 (Risk Management Guidelines)
- Provides guidance on the selection and application of techniques for assessing risk in a wide range of situations.
■ The techniques are used to assist in making decisions where there is uncertainty, to provide information about particular risks and as part of a process for managing risk.
IEC 31010:2019 (RM Risk Assessment Techniques)
■ Provides the definitions of generic terms related to risk management.
■ It aims to encourage a mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, and the use of uniform risk management terminology in processes and frameworks dealing with the management of risk.
ISO Guide 73: 2009 (RM Vocabulary)
ISO 31000:2018 Definition of Terminologies
effect of uncertainty on objectives.
rISK
ISO 31000:2018 Definition of Terminologies
- is a deviation from the expected, which can be positive, negative or both and can address, create or result in opportunities and threats.
eFFECT
ISO 31000:2018 Definition of Terminologies
- coordinated activities to direct and control an organization with regard to risk.
- Risk Management -
ISO 31000:2018 Definition of Terminologies
persons or organizations that can affect, be affected or perceive themselves to be affected by a decision or activity.
STAKEHOLDERS
ISO 31000:2018 Definition of Terminologies
element, which alone or in combination, has the potential to give rise to risk.
RISK SOURCE
ISO 31000:2018 Definition of Terminologies
occurrence or change of a particular set of circumstances; It can have 1 or more occurrences, and can have several causes and several consequences.
EVENT
ISO 31000:2018 Definition of Terminologies
the outcome of an event affecting objectives, either positive or negative and direct or indirect effects.
cONSEQUENCE
ISO 31000:2018 Definition of Terminologies
- the chance of something happening, the equivalent term being used is probability.
LIKELIHOOD
ISO 31000:2018 Definition of Terminologies
- measure that maintains or modifies risk, and may include any process, policy, device, practice or other conditions and/or actions which can maintain or modify risk.
CONTROL
wHAT ARE 8 ISO 31000:2018 PRINCIPLES
Integrated
Structured and Comprehensive
Customized
Inclusive
Dynamic
Best Available Information
HUman and Cultural Factros
continual improvement
ISCI DB HC
What are the 6 components of Risk Management Framework (and ano young NASA center)
Leadership and Commitment (Center)
Integration
Design
Implementation
Evaluation (measure RM framework against purpose, place, expected behavior)
Improvement (adapt to internal and external)
LIDI IE
___ involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording & reporting risk.
Risk management process
Risk management process
6 components of risk management process?
IN ORDER
- Communication and Consultation
- Scope Context And criteria
- Risk Assessment (risk identification, risk analysis, risk evaluation)
- risk treatment
- Monitoring and Review
- Recording and Reporting
Establishing the Context
ISO 31000 states that the fist stage in the risk management process is to establish the context.
■ The three (3) components of organizational context are:
- _________ is described as the risk architecture, strategy and protocols or the risk management framework within the organization.
- _________ refers to the organization itself, the activities it undertakes, the range of skills and capabilities available within the organization, and how it is structured.
- __________ is the environment within which the organization exists. This environment will include consideration of the business sector within which the organization operates, external stakeholders and their expectations and the external financial environment.
Risk management context
Internal context
External context
_____________ is the leading professional body for Enterprise Risk Management (ERM), with over 30 years of experience, the company has set the leading industry standards for risk management.
■A not-for-profit membership body with members in all industries, in all sectors all over the world.
IRM
according to IRM
____ is The process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.
RM
_____ is a joint initiative of the five private sector organizations listed below and is dedicated to providing thought leadership through the development of FRAMEWORKS and guidance on ENTERPRISE risk management, internal control and fraud deterrence.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Read only
The five (5) organizations that comprise COSO are:
■ American Accounting Association
■ American Institute of Certified Public Accountants
■ Financial Executives International
■ The Association of Accountants and Financial Professionals in Business
■ The Institute of Internal Auditors
.
The ______ provides a framework against which risk management and internal control systems can be assessed and improved.
COSO ERM
____ use the cube to illustrate the links between business objectives on the top of the cube and the eight components shown on the front. These categories of business objectives are also the categories of risks that organizations face. The third dimension of the cube represents the business units of the organization and illustrates that ERM should be implemented across all locations and all activities within the organization.
COSO
COSO ERM FRAMEWORK (read only)
- Internal environment - The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed.
- Objective setting - Objectives must exist before management can identify potential events affecting their achievement.
- Event identification - Internal and external events affecting achievement of objectives must be identified, distinguishing between risks and opportunities.
- Risk assessment - Risks are analysed, considering likelihood and impact, as a basis for determining how they should be managed.
- Risk response - Management selects risk responses - avoiding, accepting, reducing, or sharing risk.
- Control activities - Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
- Information and communication - Relevant information is identified, captured, and communicated so that people can fulfil their responsibilities.
- Monitoring - The entirety of enterprise risk management is monitored and modifications made as necessary.
.
_____ is
A non-profit organization representing accounting professionals in Canada. The organization represents Canadian chartered accountants (CAs) both nationally and internationally.
■ It was responsible for developing generally accepted accounting principles (GAAP) for Canadian accounting techniques and also publishes guidance and educational materials on a number of accounting-related topics.
Canadian Institute of Chartered Accountants’ Standard
