Risk and Opportunity Framework Flashcards
Name some regulatory drivers for Operational Risk Management ?
- Corporate Governance.
- Sarbanes-Oxley Act (USA)
- Patriot Act (USA)
- Basel II (Banking Industry)
- HIPAA (USA)
- Data Protection Legislation (EU)
- PCI
What are the aims, benefits and characteristics of the Risk and Opportunity Framework?
- Achieve a balance between realising opportunities for gains while minimising losses.
- Establish an appropriate infrastructure and culture, and apply a logical and systematic method.
- Embeded into an organisations philosophy, practices and business processes.
- Early warnings and fewer surprises.
- Economic & Efficient exploitation of opportunities
- Improved planning through the provision of information for decision making.
- Accountability Assurance & Governance.
Applications of Risk Management:
- Strategic, Operational and business planning.
- Asset Management, resource planning and allocation.
- Business interruption and continuity.
- Change: Organisational, technological and political.
- Liability: Design, Product, Directory, public, health and safety.
- Environmental, ethics, fraud and security issues.
- Compliance and Governance.
- procurement & Contracting.
- Project and Operations Management.
Risk Analysis Measures Risk Elements:
- Identify, Qualify, value assets and business impacts.
- Apply suitable metrics.
- Rank risks in a relative priority order.
- Provide a base for risk management decisions.
- Identify where additional controls are required.
Issues with the threat-driven approach:
- Quantification requires good actuarial data (which we don’t have)
- Statistical data is often not relevant in a dynamic technical environment, the past is usually a poor predictor of the future.
- Scare tactics ask for investment to tract negatives (like Y2K)
- Technical Threats are not well understood by the Stakeholders.
- Impact is a much clearer starting point.
Advantages of the Impact-base Approach:
- Much broader view of the business goals.
- Provides a good view of business criticality.
- Allows priorities to be established.
- Focuses attention on business and mission-critical risks.
- Uses language that is understood by business managers.
- Involves the business managers in the process.
- Speed, cost, usability.
Doing Business Means taking risks.
All business is based on exploiting opportunities to further the goals of the enterprise.
- With each opportunity comes potential threats, and thus risk.
- To do business is to take risks.
- However the level of residual risk must be acceptable within the risk appetite of the organisation (but can never be zero).
what are Operational Risks ?
Operational Risk is seen as a down-side risk, ie. things that can go wrong.
- In SABSA Operational Risk can also be an upside risk.
- Business enablement is achieved through excellence in operational processes, people, and technical systems.
What is SABSA’s Approach to Impact ?
The impact is expressed as positive or negative consequences of potential events upon attributes.
Negative Impact is expressed as:
- Reduction in Attribute performance.
- Failure to meet the Attribute performance target.
Positive impact expressed as:
- Increase in attribute performance.
- Increase in attribute performance threshold to a higher target.
Attributes determine Risk Thresholds.
Performance target on an attribute provides the threshold for acceptable risk.
- The attribute target is by definition a business goal/objective.
- Failure to meet it must therefore be an unacceptable outcome.
- This parameter is a key element of enabling risk assessment to be less subjective.
Early Warnings are provided by the introduction of a second risk/performance threshold.
* The early warning is defined as the secondary, because the primary exists in every scenario and is of the greatest consequence.
What is a key risk indicator (KRI)?
A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization’s risk appetite and have a profoundly negative impact on an organization’s ability to be successful.
What are some examples of KRIs ?
- level of financial risk exposure.
- throughput capacity of a manufacturing or production facility.
- Staffing levels.
- price of crude oil.
- level of traffic on an internet site.
- Level of experience of staff working on a project.
Risk Management Objectives: Taxonomy for Analysis of threats & opportunities (External(Examples)):
- Regulations & Regulators
- Shareholders & investors
- political conditions
- Market Conditions
- Legislation
- Competitors
- Ethical Pressures
- Cultural Pressures
- Economic Conditions
- outsourced service providers
- Partnerships & JVs.
- Natural Disasters
- Governments
- Supply Chain
- Contracts
- Criminals
- Terrorism
- Customers
- Trade Unions
- Climate & Weather
PESTELIM Analysis ?
External Business Context Analysis:
- Opportunities
- Threats
Political Factors Economic Factors Social Factors Technological Factors Environmental Factors Legislative Factors Industry Factors Military Factors
Risk Management Objectives: Taxonomy for Analysis of threats & opportunities (Internal(Examples)):
- Logistics
- Business Operations
- Information Systems
- Authourity & Responsibilities
- Skills & Competencies
- Business Processes
- Culture & Ethics
- Strategy
- Risk Appetite
- Management Styles
- People Management
- Finance
- Goals & Expectations
- Board Members
- Organisation Structure
