Risk Flashcards
Risk
- The effect of uncertainty on objectives
- It is potential - what could happen (not positive or negitive)
Antifragility
Ability to not just withstand high-impact events or shocks but to improve and benefit from them.
Risk management
- Coordinated activities to direct and control an organization with regard to risk
- Designed to change the probability of risk event occurring and/or degree of impact on organization’s objectives
Known knowns
Events to be expected and involve little uncertainty
Known Unknowns
Uncertainties we know exist, but don’t know much about their probability or impact
Unknown knowns
- Risks we mistakenly think we understand
- Black swans - unforseen outlier events that are rare and have a major impact
Types of risk
- Strategy
- Operations
- Financial reporting
- Compliance
Internal and preventable risks
- Come from inside the organization
- Could include violations of ethics and failures in routine processes
Strategy risk
Risks that affect the organization’s ability to achieve its objectives
Operations Risk
Risks that affect the ways the organization creates value
Financial reporting risk
Risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition
Compliance risk
Risks associated with meeting the requirements of laws and regulations
Benefits of risk management
- Aligns risk management process process with the organization’s strategy and objectives
- More effective and consistent response to risk
- Losses are reduced and less resources wasted
- Risks are understood and managed
Barriers to risk managemeng
- Structural
- Cognitive
- Cultural
Structural barrier to risk management
- Silo organizations
- Respond to risk in operational rather than strategic
Cognitive barrier to risk management
Need to think past “if then” scenarios to “what if” scenarios
Cultural barrier to risk management
- Be aware of the diverse workforce and their beliefs and attitudes toward risk
- Communicate the organization;s position and appetite for risk
An effective risk management program should
- Create and protect value
- Be integral part of all orgnizational process
- Be apart of decision making
- Address uncertainty
- Be systematic, structured and timely
- Based uponthe best available information
- Fit an organization’s risk and control environment
- Take into account human and cultural factors
- Transparent and inclusive
- Dynamic, iterative and respond to change
- Facilitate continual improvement of the organization
Risk Organizational Framework Steps
- Management commitment
- Design a framework for managing risk
- Implementing risk management
- Periodic monitoring and review of the framework
- Continual improvement of the framework
Risk Management Process
1. Establish the context of risk
1. Define risk appetite and set risk management goals 2. Identify and analyze risks 3. Manage risks 4. Evaluate
The circle then goes back to 1
Risk position
The organization’s desired gain or acceptable loss in value
Risk appetite
- Also called risk tolerance
- Amount of uncertainty an organization is willing to pursue or to accept to attain its risk management goals
Risk appetite/risk tolerance affect
- Amount that risk that will help organization reach or interfere with the strategic goals
- Characteristic attitude toward risk
- Resources or risk capacity
- Externally imposed requirements (fire prevention programs)
- Loss expectancy
Single loss expectancy (SLE)
- Expected monetary loss every time a risk occurs
- Single loss expectancy = asset value * exposure factor
Annualized loss expectancy (ALE)
- Expected monetary loss for an asset due to a risk over a one-year period
- Annualized loss expectancy = single loss expectancy * annualized rate of occurrence
Misaligned risks
- Moral hazard
- Principal-agent problem
- Conflict of interest
Moral hazard
- One party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.
- Ex: insurance
Principal-agent problem
- Situation in which an agent (employee) makes decisions for a principal (employer) potentially on the basis of personal incentives that may not be aligned with the principal’s incentives.
- Ex: providing incentives
Risk control
- An action taken to manage a risk
- First step when evaluating a risk is to see if risk controls are in place and then if they are effective
- Ex: safety training, require signitures
MECE
- Mutually exclusive and comprehensively exaustive
- Identify all possible risks and all strategic and operational aspects of the business and avoid duplication or overlapping identification
Duty of care
- Principle that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury
- Occurs throught the entire employment lifespan
Duty of care how to understand the risks
- Consult with experts and information sources
- Focus groups and individual interviews
- Surveys
- Analyzing processes
- Direct observation
Hazard
- Potential for harm
- Often associated with a condition or activity that, if left uncontrolled, can result in injury or illness.
Risk level formula
Risk level = probability of occurrence * magnitude of impact
Risk scorecard
- Tool used to gather individual assessments of various characteristics of risk and weighs risk more heavily against strategic importance
- Ex of characteristics of risk (frequency, degree of impact, loss or gain of the organization)
Risk Matrix
- Simple grid where horizontal axis is probability and vertical is severity of impact
- Doesn’t reflect the degree the organization is prepared against the threat
PAPA model includes
- Prepare
- Act
- Park
- Adapt
PAPA Prepare
- Low likelihood and fast speed of change
- Contingency plans must be in place and early indicators defined
PAPA Act
- High likelyhood and fast speed of change
- Threats and opportunities require immediate response to threat occuring or significant damage
PAPA park
- Low likelihood and slow speed of change
- Good time to monitor changes, but not be involved in mitigation or contingencies
PAPA Adapt
- High likelihood and slow speed of change
- May affect the organization signifiantly
- Ex: hiring disabled new hires and should update the office accordingly but not necessary immedately
Key risk indicators (KRIs)
- Metrics that provide an early signal of increasing risk exposures for an enterprise.
- Changes the way risks are prioritized or management actions
- Need to be strategically aligned
Risk register
- Lists the information and responsibilitys for managing specific risks
- Increases transparency and accountability for risk management process
- Can be developed incrementally as part of risk management process
Risk management tactics include
- Lists the information and responsibilitys for managing specific risks
- Increases transparency and accountability for risk management process
- Can be developed incrementally as part of risk management process
Upside risk management tactics
- Optimize
- Share
- Enhance
- Ignore
Downside risk management tactics
- Avoid
- Transfer
- Mitigate
- Accept
Avoidance Risk Treatment
Decision not to become involved in or action to withdraw from risk situation
Retention Risk Treatment
Acceptance of buden of loss or benefit of gain for a risk
Residual risk
Amount of uncertainty that remains after all risk management efforts have been exhausted.
Risk management objectives should
- Be strategically focused
- Combine activities and results
- Combine lagging and leading metrics
- Modifying risks related to noncompliance
- Instilling risk management principles in organization’s members and processes
Lagging metrics
Look backward at what has been accomplished
Leading metrics
Measure performance that will affect results in the future
Emergency preparedness and business continuity require:
- Contingency plan
- Response capability to secure employee health and safety and continue productivity
Contingency plan and its goals
- Protocol that an organization implements when an identified risk event occurs.
- Include time frames
- Supported with training and opportunities for practice
- Developed with specific goals in mind
- Immediate security for employees, company assets and stakeholders
- Comply with local laws and regulations
- Document and report as required
HR involvement in contingency plans
- Policies
- Define and communicate policies to avoid or mitigate risk
- Evacuation and relocation
- Maintain rosters
- Communication
- Training
- Continuity
Crisis Management and Readiness Process (No Crisis)
- Identify and manage risks
- Develop crisis management plan
- Train, test, drill
- Learn
- Evaluate and revise plans as needed
Then goes back to step 1
Crisis Management and Readiness Process (Crisis)
- Identify and manage risks
- Develop crisis management plan
- Crisis
- Activate plans
- Recover, learn, improve
- Evaluate and revise plans as needed
Then goes back to step 1
Workplace voilence protection
- Policy outlining organizational stance towards workplace voilence and outlining response procedures to prevent response from escelating
- Create a response team
- Conduct drils (including active shooter drills)
IT threat prevention
- Create policies and procedures to prevent and respond
- Have rules regarding technology use
- Should be in the employee handbook
- IT training should be required
Communicating a disease risk in the workplace includes
- Notification and verification of disease risk
- Understanding the disease and resources
- Identify the scope of the risk
- Determine the employer risk
- Handle internal and HR compliance matters
Goals of evolution in risk management
- Increase transparency and accountability by measuring and reporting risk management results
- Make sure of compliance with requirements
- Assess the effectiveness of individual risk management strategies
- Assess effectiveness of organization’s risk management framework (values, policies, processes and culture)
- Continually improve by investigating incidents and identifying opportunities for improving strategies and framework
Frequency of evaluating risk management
- After every major incident
- Agreed intervalls (ex: annually)
After-action debriefs
- Meetings to examine the effectiveness of a risk response strategy
- Ex: workplace evacuations, in-place lockdowns for security reasons, a workplace injury or act of violence, or temporary relocation of operations.
Incident investigations
- Meetings that are more limited than after-action debriefs but similar approach
- Ex: angry dispute that becomes physical and needs intervention, workplace injury
Documentation of incidents
- Must be well documented and reported to external parties
- Often legally required
Whistleblowing
- Reporting of an organization’s violations of policies and processes by employees
- Some countries protect whistelblowers from retaliation
Quality Assurance (QA)
Actions organization takes to be sure it is performing work according to standards it has set and uses specified processes correctly and completly
