Risk Control

Question 1

What is the difference between loss prevention and loss reduction?

Answer 1

1. LOSS PREVENTION: Tools that reduce the PROBABILITY of a loss event by targetting CAUSES (e.g. process failures; external events), of which there may be multiple. Includes:
   - IT firewalls;
   - No smoking policies;
   - Segregation of duties;
   - Door locks;
   - Driver safety training.
2. LOSS REDUCTION: Tools that mitigate the EFFECTS of loss events (financial / non-financial).
   - Data back-up arrangements;
   - Fire extinguishers;
   - Whistleblowing arrangements;
   - Burglar alarms;
   - Insurance.

Question 2

What are the common causes and effects of loss events?

Answer 2

1. CAUSES:
   - People (error, negligence, criminal acts).
   - Processes (design flaws, fallible human inputs).
   - External events (weather, politics, terrorism, economic events).
2. Effects:
   - Resource loss (assets, cash).
   - Human resource loss (illness, injury, death).
   - Repuotational damage (customer loss, goodwill diminution).

Question 3

What is the purpose of risk control?

Answer 3

1. Prevention of CAUSES and REDUCTION OF EFFECTS of loss events.
2. Enablement of organisations to SEIZE OPPORTUNITIES to ACHIEVE or SEIZE OPPORTUNITIES.

Question 4

What are the ‘Five Ts’ of risk control?

Answer 4

1. TOLERATE (accept/retain) - Risk exposure may be tolerable without further action, or the control actions may be limited, disproportionate or unaffordable.
2. TREAT (control/reduce) - Continuation of risk-generating actiity with controls taken to limit risks to acceptable levels.
3. TRANSFER (insurance/contract) - Achieved through conventional insurance, indemnity or otherwise. Typical for mitigation of financial risks to assets.
4. TERMINATE (avoid/eliminate) - Inescapable for certain risks. More scope to apply in the private sector (v. public sector).
5. TAKE THE OPPORTUNITY (M&A/new products and ventures) - Apt for certain risks with appropriate risk-opportunity balance - not taking the opportunity may present larger risk. May be combined with other risk control techniques.

Question 5

What are the four forms of risk control?

Answer 5

1. Preventative (terminate) - LIMIT POSSIBILITY of risk event. More severe the event, more important appropriate preventative controls. [HIGH IMPACT / LIKLIHOOD OF RISK]
2. Corrective (treat) - LIMIT SCOPE FOR LOSS arising from realised risk outcome. May also provide RECOURSE for LOSS RECOVERY. [HIGH LIKELIHOOD / LOW IMPACT OF RISK]
3. Directive (transfer) - Ensure ACHIEVEMENT OF PARTICULAR OUTCOME (e.g. ensuring losses do not occur). [HIGH IMPACT / LOW LIKELIHOOD OF RISK]
4. Detective (tolerate) - IDENTIFIED UNDESIRED RISK EVENTS on an after-the-event basis, with acceptance of ensuring loss. [LOW IMPACT / LOW LIKELIHOOD OF RISK]

Question 6

What the differences between formal and informal controls?

Answer 6

1. INFORMAL - SOCIAL MECHANISMS of control. Controls are almost NEVER DOCUMENTED and do NOT HAVE PHYSICAL PRESENCE. Include an organisation’s CULTURE and RISK CULTURE, relating to beliefs, values and perceptions.
2. FORMAL - Provide a clear and taingible risk control mechanism, through one or more of the following characteristics:
   - PHYSICAL PRESENCE (e.g. door locks);
   - DOCUMENTED within a policy or procedure;
   - Include TANGIBLE SANCTIONS (e.g. disciplinary arrangements).

Question 7

What is retained risk financing?

Answer 7

1. Risk financing tool to MITIGATE LOSS events associated with TREATING, TOLERATING OR TERMINATING a risk.
2. Involves RETAINING, rather than transferring, the FINANCIAL EFFECTS of a loss event.
3. Retain risk remains with the LEGAL and FINANCIAL BOUNDARIES of the organisation and hence may affect cashflow, profit or surpluses, and the balance sheet.
4. May supports four principal forms of risk control:
   - TOLERATE (pre-funding to better tolerate losses);
   - TREAT (pre-funding to protect organisational cashflows);
   - TRANSFER (pre-funding to mitigate insurance inadequacy/claim dispute);
   - TERMINATE (pre-funding to absorb termination, redunancy, severance and other costs associated with termination).

Question 8

How does funded retained risk financing function?

Answer 8

1. A funding pot is established before or after a loss has to be financed.
2. Funded retained risk financing may be used if conventional risk transfer (e.g. insurance) is unnecessary, unavailable or too expensive.

Question 9

Why may retained risk financing be unfunded?

Answer 9

1. Potential for a given loss event was NOT IDENTIFIED (i.e. risk identification failing).
2. Full effects of a loss event were NOT UNDERSTOOD (i.e. risk assessment failure).
3. There is a RISK TRANSFER FAILURE (e.g. insurer disputes claims).
4. Organisation decides financial effects of a loss events are NOT SIGNIFICANT ENOUGH to require funding.

Question 10

What is insurance risk transfer?

Answer 10

1. Typically used for risk events with LOW PROBABILITY but HIGH IMPACT.
2. Transfers losses arising from HAZARD risks and (to a degree) CONTROL risks.
3. A BROKER or INSURANCE INTERMEDIARY is usually retained to DESIGN an insurance programme, PURCHASE insurance and provide CLAIMS-HANDLING. Larger organisations may retain an internal insurance function, or this may be assumed by the company secretary.

Question 11

What is crisis management?

Answer 11

1. Crisis management refers to how an organisation handles DISRUPTiVE and POTENTIALLY UNEXPECTED EVENTS that threaten to harm the organisation, its stakeholders or the general public.
2. Crisis management approach = risk management approach - IDENTIFICATION, ASSESSMENT, CONTROL and MONITORING of crisis risks.
3. Crisis management insights from OTHER ORGANISATIONS may be helpful.
4. SCENARIO ANALYSIS with RELEVANT EXPERTS may be helpful to FORECAST CAUSES of crisis events, and resulting CONSEQUENCES.

Question 12

What are the five steps relevant to crisis management?

Answer 12

1. SIGNAL DETECTION - Establishing early warning signs of a crisis (near misses, IA findings, RM reports, external events, operational performance).
2. PREPARATION AND PREVENTION - Preventative steps to pre-empt crisis causes; preparatory steps to address crises.
3. CONTAINMENT AND DAMAGE CONTROL - Steps undertaken to LIMIT ADVERSE EFFECTS of a crisis (e.g. BCP, communications, emergency services engagement).
4. BUSINESS RECOVERY - May be long-term; may be reduced with EFFECTIVE RECOVERY PROCESSES (replacement of lost assets; availability of funding).
5. LEARNING FROM CRISIS - Identifying and implementing learning opportunities.

Question 13

What are business continuity plans?

Answer 13

1. BCPs are prepared on an ORGANISATION-WIDE or FUNCTIONAL BASIS to SUPPORT BUSINESS RECOVERY.
2. Common for IT DISRUPTIONS or ESSENTIAL OPERATIONAL PROCESSES.
3. Outlines responsive ACTIONS to be taken to MINIMISE BUSINESS DISRUPTION and support efficient RECOVERY.
4. Common acronyms:
   - MTPD - Maximum Tolerable Period of Disruption;
   - RTO - Recovery Time Objective;
   - RPO - Recovery Point Objective.
5. BCPs should indicate roles and responsibilities, and provide for periodic testing.