Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Risk Management > Risk-control strategies > Flashcards

Risk-control strategies Flashcards

1
Q

What does risk control involve? (3)

What can risk control help an organisation do?

Strategic investments can help organisations to seize new opportunities. Name 2 types of strategic investments.

A

Risk control involves
(1) the application of tools to influence the probability and/or impact of a risk event
(2) the mitigation of follow-on effects that risk events may have on the continuity of an organisation’s operations or its reputation
(3) preventing the causes and reducing the effects of loss events

Help seize opportunities, allowing it to achieve and sometimes exceed its objectives by protecting its cash flows

  1. Flexible manufacturing systems or IT systems, can help organisations to seize new opportunities = allow organisations to adapt their production processes, modifying their products and services to exploit changes in customer needs and wants
  2. Market research as a risk control tool can be used to take advantage of potential opportunities for new product ideas and markets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

MANAGING PROBABILITY AND IMPACT

What are the common causes of loss events? (4)

What are the common effects of loss events? (3)

A

The causes of loss events are typically due to one or more of the following:
1. people (human error, negligence and criminal acts);
2. processes (poor process design, excessive reliance on fallible human input or breakdown);
3. systems (systems failure);
4. external events (weather politics, terrorism and economic events).

Effects:
(1) loss of resources (asset damage or loss of cash);
(2) loss of human resources (injury, ill health or death);
(3) loss of reputation, including customer goodwill.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

MANAGING PROBABILITY AND IMPACT

What are the 2 ways an organisation may reduce its exposure to loss events?

Can a risk-control tool do both?

What are loss prevention tools?

Name 3 examples.

A

By (1) lowering the probability that a given event will occur or (2) by mitigating the impact of any event that does occur

It is rare for any one risk-control tool to combine probability and impact reduction

Loss-prevention tools = tools that reduce the probability of a loss even occurring by targeting its causes

E.g., IT system firewall, segregation of duties, door locks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

MANAGING PROBABILITY AND IMPACT

What are loss reduction tools?

What 5 things do they do?

Name 3 examples.

A

Loss-reduction tools = tools that reduce the impact/effects of loss events by:
1. limiting the physical damage that is caused; (financial)

  1. helping to fund the repair or replacement of loss assets as cost effectively as possible (financial)
  2. shortening the duration of a loss event or (non-financial loss events e.g., adverse media affect on reputation)
  3. helping an organisation to recover quickly from events (non-financial)
  4. Helping prevent death or injury (non-financial)

Examples:
(1) Data back-up arrangement
(2) Fire extinguishers / burglar alams
(3) whistleblowing arrangements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

THE 5 Ts OF RISK CONTROL

Controlling risk to manipulate the probability or impact of loss events, or to exploit opportunities, is not a given. Usually some kind of risk-control strategy is required.

What are the 5 common risk-control strategies?

A
  1. Tolerate = take no formal action to control the risk
  2. Treat = Risk treatments = actions taken to manipulate an organisation’s exposure to one or more risks (either mitigate threats or exploit opportunities through loss prevention/reduction tools)
  3. Transfer = passes the impact of loss events to a third party
  4. Terminate = any action taken to stop an activity or leave a location that is creating a particular risk exposure or combination of exposures
  5. Take the opportunity = may still implement other types of controls (e.g. risk treatments and transfers), either to mitigate any associated threats or to increase the potential to exploit the opportunity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

THE 5 Ts OF RISK CONTROL

When may risks be tolerated? (3)

Where risk exposures are tolerated, senior management should do what?

When risks are transferred, this may involve passing on what 2 things? How?

What is the only way to terminate exposure to risk?

When should the decision to terminate a risk only occur?

Where is the option to ‘take the opportunity’ present?

A

Risks may be tolerated where they are known and accepted by an organisation = may be where:
A. risk exposure is within the organisations risk appetite
B. controls are uneconomical/impractical
C. taking the risk is necessary to achieve the organisations objectives.

Approve and periodically review the decision = rare that a risk will be tolerated indefinitely

Transfer may involve passing on:
(1) the financial impacts of a loss event = via insurance or equivalent risk financing contracts
(2) the financial and non-financial impacts of a loss event = via a contract with a supplier or outsourced service provider

Terminate = to terminate the activity or location that is creating the exposure = could mean that an organisation passes up valuable opportunities and it may fail to achieve its objectives

  • should only occur where no level of risk exposure is considered to be tolerable, or where the risk exposure is considered to be untreatable or non-transferrable

Present in activities such as corporate mergers, new product development and research and development = not taking an opportunity may sometimes be a bigger risk than taking one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

RISK TREATMENT TECHNIQUES

Risk treatment helps organisations control their exposure to risk - includes loss prevention and loss reduction tools.

Why should an organisation categorise the prevention and reduction tools?

What is the PCDD Hazard Risk Typology?

What is it used for?

How else can risk control categories be categorised? Why?

A

Can help an organisation to develop optimal risk control strategies that address the range of causes and effects associated with different loss events

PCDD = Preventive, corrective, directive, and detective controls

Used to help classify the range of controls than can be used to control health-and-safety or environmental hazards

Formal and informal controls

Can help an organisation ensure a good balance between the formal and informal aspects of its approach to treating risk exposures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RISK TREATMENT TECHNIQUES - PCDD HAZARD RISK TYPOLOGY

What are preventative controls?

Name 4 examples.

What are corrective controls?

What do they usually include?

Name 3 examples.

A

Preventative = focus on addressing the causes of loss events and are a type of loss prevention tool

Examples = staff training, PPE, asset maintenance (such as servicing), security arrangements (locks, passwords, shredding documents)

Corrective = a type of loss reduction tool correcting the adverse consequences of a hazard or similar loss (fire, pollution etc.)

Normally include mechanisms to learn from loss events that have occurred (e.g., post-event investigations into what went wrong and why)

Examples = fire extinguishers, disciplinary procedures, business continuity and recovery plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RISK TREATMENT TECHNIQUES - PCDD HAZARD RISK TYPOLOGY

What are directive controls?

Name 3 examples.

What are detective controls?

Are they a loss prevention or loss reduction tool?

When do they function best?

Name 4 examples.

A

Directive = controls that are used to enforce desirable outcomes and are a type of loss prevention tool

Examples = (1) organisation’s policies and procedures that are related to RM, governance or compliance, (2) code of conduct, (3) roles and responsibilities assigned to employees in their job descriptions

Detective controls = help to indicate the onset of a hazard or subsequent loss event
and are used to highlight deficiencies in preventive or directive controls

A form of loss prevention tool where it helps to detect the causes of potential loss events
AND
a loss reduction tool where it helps to detect the occurrence of an actual loss event

Function best when combined with corrective, preventative or directive controls = provide an indication that something is wrong

Examples = (1) fire and burglar alarms; (2) internal audits and compliance reviews; (3) H&S inspections. (4) bank reconciliations to detect loss events such as fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RISK TREATMENT TECHNIQUES - FORMAL CONTROLS

What are formal controls? (3 characteristics)

What do they provide? (Mechanism)

Which controls do they include?

A

Formal controls have one or more of the following characteristics:
1. they have a physical presence, for example door locks or a sprinkler system;
2. they are documented within a policy or procedure; or
3. they involve tangible sanctions, such as disciplinary arrangements.

Provide a clear and tangible mechanism for risk control

Include a wide range of preventive, corrective, directive and detective controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RISK TREATMENT TECHNIQUES - INFORMAL CONTROLS

What are informal controls?

What are the 3 characteristics?

What do informal controls relate to? (2)

What do informal controls complement?

When can informal controls act as a substitute for formal controls?

A

Informal controls are social mechanisms of control and tend to be human-oriented and social in nature E.g., culture and risk culture of an organisation

(1) These controls are almost never documented
(2) they do not have a physical presence
(3) sanctions tend to be intangible e.g. individuals who do not comply with informal controls may find that their peers are unfriendly or unhelpful

They relate to :
(1) the social norms, beliefs, values and perceptions that staff members and other stakeholders have concerning the control of risk

(2) how people communicate, exert power and influence over each other, and work together.

Informal controls complement formal controls and help to ensure compliance and correct implementation of formal controls.

Informal controls can act as a substitute for formal controls where there are weaknesses in the formal control environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name 5 common risk-treatment controls.

Categorise them by PCDD and formality.

A
  1. Action plans = Plans that are put in place to address weaknesses in the identification, assessment, monitoring or control of risk
    FORMAL
    DIRECTIVE
  2. Tone and action from the top
    INFORMAL
    PREVENTIVE and DIRECTIVE
  3. Emergency shut down = Mechanisms that ensure the rapid shutdown of systems that are failing or which are unsafe
    FORMAL
    CORRECTIVE
  4. Audits and reviews = Internal audits and reviews designed to assess the effectiveness of an organisation’s internal controls and its exposure to compliance risk
    FORMAL
    DETECTIVE
  5. Communication = Mechanisms that help people communicate with each other
    FORMAL and INFORMAL
    ALL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RISK FINANCING

Why do organisations use risk financing mechanisms?

How does risk financing fit into an organisation’s risk-control strategy? (4)

A

To help fund the financial consequences of loss events

  1. Treat = RF may be employed to protect an organisation’s cash flows from the financial impact of a loss event e.g., cash funds can be used to replace lost assets quickly, minimising any business disruption effects
  2. Tolerate = An organisation may be able to tolerate loss events more easily where finance is available pre-loss (or can be obtained post-loss) to help restore lost assets
  3. Transfer = An organisation that has transferred risks through insurance may decide to put financing mechanisms in place to help mitigate the risk of the insurer’s refusal to pay a claim
  4. Terminate = The decision to terminate may carry with it associated risks that need to be financed e.g., the decision to stop producing a high-risk product may expose an organisation to business risk, including the risk of losing market share to rivals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RETAINED RISK FINANCING

What is retained risk financing?

What does it involve?

What does this mean? (3)

What are the 2 types of retained risk financing?

A

= treating, tolerating or terminating the effects of loss events with the aid of risk financing tools

Involves retaining rather than transferring the financial effects of a loss event

This means that these financial effects will affect one or more of the following:
1. organisational cash flows;
2. profit or surplus; and
3. the balance sheet, reducing assets or increasing liabilities.

Funded or unfunded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

RETAINED RISK FINANCING - FUNDED

What is funded risk financing?

Why may funded risk financing be chosen?

How can funded risk financing be implemented?

Funded risk-financing tools may be combined with what?

A

Funded means allocating a pot of funds before a loss has to be financed

May be chosen because risk transfer (in the form of insurance or similar) is not needed, not available or too expensive.

Can be implemented before (pre-event) or after (post-event) the occurrence of a loss event
* Funding may be implemented post-event where a loss event has occurred but the full effects of the loss event are not yet known or have not been fully realized

Funded risk-financing tools may be combined to form layers of finance for losses of varying sizes = Unfunded risk financing and risk transfer provide further layers of finance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

RETAINED RISK FINANCING - UNFUNDED

What is unfunded risk financing?what does it rely on?)

Why might unfunded risk financing occur? (4)

A

Unfunded means not putting funding in place and relying on current cash flows or unallocated capital to pay for any financial effects

Unfunded risk financing may occur because:
(1) the potential for a given loss event has not been identified (a failure in risk identification);

(2) the full effects of a loss event are not understood (a failure in risk assessment);

(3) there is a failure in risk transfer, such as where an insurer disputes a claim or refuses to pay out in full; or

(4) an organisation decides that the financial effects of a loss event are small enough to not require funding.

17
Q

RETAINED RISK FINANCING MECHANISMS

Name 4 retained risk-financing mechanisms.

Categorise them into funded or unfunded and pre or post loss.

A
  1. Allocated reserves = Profit or surplus that is allocated to help fund a specific project or loss event
    FUNDED
    PRE and POST LOSS
  2. Cash flows = Cash may be generated by sales, donations, grants and loans or similar
    UNFUNDED
    PRE and POST LOSS
  3. Contingent capital = a form of debt that is converted into equity when certain triggers are met, such as at the onset of a loss event that may bankrupt an organisation if left unfunded
    FUNDED
    PRE-LOSS
  4. Unallocated reserves = Profit or surplus that is generated and which is not allocated to a specific project or fund.
    UNFUNDED
    PRE and POST LOSS
18
Q

INSURANCE RISK TRANSFER

When will an organisation wish to transfer risk?

What is insurance risk transfer?

Insurance companies provide insurance against a range of potential loss events, including what 4 things?

Who can help with insurance?

What is the the limit of indemnity or indemnity limit?

What are deductibles?

Why are they common?

A

= When the likelihood of a risk materialising is low but the impact is high

Insurance risk transfer means purchasing insurance from an insurance company to transfer the financial consequences of losses arising from hazard risks

  1. motor accidents, fire and theft;
  2. property damage and theft;
  3. building defects, like subsidence;
  4. employer’s liability – legal liability payments to staff suffering health and safety problems;

An insurance broker can help design an insurance program, purchase insurance and to process claims

Limit of indemnity or indemnity limit = To help reduce premium costs and to ensure that insurance is available, cover is limited to a maximum loss amount

Deductibles require an organisation to pay the initial amount for a loss that is incurred

Insurance premiums should be cheaper if the deductible is larger and the maximum level of cover is lower, as the level of risk transfer is lower

19
Q

NON-CONVENTIONAL RISK TRANSFER FOR THE FINANCIAL EFFECTS OF RISK

What are non-conventional risk-transfer tools?

Name 5 examples of non-conventional risk-transfer tools.

An organisation that chooses to use non-conventional risk transfer tools should ensure what?

A

= The alternatives that exist to insurance are termed non-conventional risk-transfer tools.

Non-conventional risk-transfer tools for the financial effects of risk include:

  1. financial markets, particularly in relation to derivatives and their use for hedging financial risks;
  2. finite risk insurance, which provides a multi-year mechanism for sharing the financial effects of loss events with an external counterparty;
  3. protected cell captive insurance companies, which operate like finite risk insurance;
  4. catastrophe bonds, which are risk-linked securities that transfer risks to financial counterparties who profit if the pre-specified catastrophic event fails to occur; and
  5. credit default swaps, which provide a form of insurance against creditors defaulting on their obligations

Ensure that it has the right expertise in place
= Non-conventional risk transfer arrangements can be very complicated to set up and it is easy to make mistakes.

20
Q

CONTROLLING MAJOR LOSS EVENTS

Major loss events can have significant financial and non-financial implications for organisations.

What initial consequences may there be? (3)

What post-event consequences may there be? (3)

What is crisis management and business continuity planning important? (If do not have one?)

How does business continuity planning fit with crisis management? (2) (what should rapid recovery ensure?)

A

Initially = serious asset damage, injury or death, and often attract media attention

Post-event = business activities of the organisation may be disrupted for some time, and large regulatory fines and liability claims can follow

An organisation that does not have effective crisis-management arrangements and business continuity plans may not survive the aftermath of a major loss event

  1. Crisis management addresses all stages of a crisis from the emergence of the causes of the crisis through to the crisis event and its aftermath.
  2. Business continuity plans help with containment and damage control, and support business recovery
    = Rapid recovery should ensure that the continuity of organisational activities is maintained with the minimum disruption
    = Business continuity planning is an important control in the crisis management process
21
Q

CONTROLLING MAJOR LOSS EVENTS - CRISIS MANAGEMENT

What is crisis management?

Name 4 examples of crisis events.

What is the process and tools for crisis management? (4)

What are the 2 ways to help identify and assess crisis events?

A

= process by which organisation deals with a disruptive and potentially unexpected event that threatens to harm the organisation, its stakeholders or the general public

Examples = major fires, death or injury of people, terrorist attacks, data breaches

The process of crisis management is the same as for RM (identification, assessment, monitoring and control of crisis risks.)
BUT tools used are different

To help identify and assess crisis events:
1. Can use information on crisis that have been experienced by other organisations.
2. Use scenario analysis (reliant on expert judgement)

22
Q

CONTROLLING MAJOR LOSS EVENTS - CRISIS MANAGEMENT

The control of crisis events is structured around what 5 areas, each of which represents a different stage in the development of a crisis?

A
  1. Signal detection: = Looking for early warning signs that a crisis could occur.
    E.g., investigating near misses, IA findings, risk monitoring reports
  2. Preparation and prevention = Steps are taken to prepare for the occurrence of potential crisis events and to prevent these events by looking to control their causes.
  3. Containment and damage control: = When a loss event occurs that may evolve into a crisis, steps must be taken to limit the adverse effects of this event.
    * E.g. Implement business continuity plans, communicating with key staff and stakeholders, working with the emergency services
  4. Business recovery: = it can take a long time to recover from a crisis but this duration can be reduced with effective recovery arrangements = quickly replacing lost assets and ensuring that funds are available to support the recovery
  5. Learning from the crisis: = After recovery from crisis, lessons are learned from the experience are implemented to help prevent or reduce the effect of future crises
23
Q

CONTROLLING MAJOR LOSS EVENTS - BUSINESS CONTINUITY PLANNING

What does business continuity planning help with?

How may it be produced?

It is common to have business continuity plans that support the recovery of what?

What does a business continuity plan do? (3)

How often should a business continuity plan be updated?

A

BCP help with containment, damage control and support business recovery.

may be produced for a whole organisation or for specific functions, systems or premises.

Support the recovery of disrupted IT systems or for essential operational processes, such as manufacturing and supply chains

  1. outlines the actions that should be taken to minimise business disruption and to help recover from a major loss event as quickly as possible
  2. shows the order in which functions, systems, services, or premises need to be recovered first and how quickly they must be recovered
  3. explain the roles and responsibilities that people have to support recovery efforts – staff need to be ready and know what to do

Important that BCP is tested annually and updated as appropriate

24
Q

CONTROLLING 3RD PARTY RISKS

When does 3rd party risk exist?

What are the 3 key risks?

What can be the impact of these risks on organisations? (2)

How are the controlled?

A

Wherever service contracts are entered into, there will be third party risk.

The key risks are:
1. Failure of the service provider to provide an acceptable quality of service.
2. Disruptions to the continuity of service.
3. Failure of the service provider (such as bankruptcy), meaning that the service can no longer be provided.

Each of these risks can have a significant impact on organisations, increasing costs, and disrupting operational continuity

Controlling these risks can be done using a variety of risk treatment tools.

25
Q

CONTROLLING 3RD PARTY RISKS

Name 5 risk treatment tools.

Categorise them by PCDD and formality.

A
  1. Contract management = Legal review of contracts prior to signing
    Formal
    Preventive
  2. Due diligence= A comprehensive appraisal of a business or third party prior to signing a contract
    Formal
    Detective
  3. Dual supply arrangements = Contracting with two or more suppliers ensures that there is continuity of supply in the event of supply disruption or failure
    Formal
    Corrective
  4. Relationship management
    = Regular meetings between the organisation and its service providers
    Formal and informal
    All
  5. Service level agreements
    = A documented commitment that exists between a service provider and a client
    Formal
    Detective and Directive

Risk Management (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions