Risk-control strategies

Question 1

1 key reason for risk control:
and a secondary reason:

Answer 1

• Reducing exposure by managing probability and impact
• Using controls to help seize opportunities

Question 2

Tools that reduce the probability of a loss event occurring by targeting the causes are known as:

Answer 2

Loss-prevention tools

Question 3

Tools that reduce the impact of a loss event by targeting the effects are known as:

Answer 3

Loss-reduction tools

Question 4

5 examples of loss-prevention tools

Answer 4

• IT system firewall
• No-smoking policy
• Segregation of duties
• Door locks
• Driver safety training

Question 5

5 examples of loss-reduction tools

Answer 5

• Data backup arrangements
• Fire extinguishers
• Whistleblowing arrangements
• Burglar alarm
• Motor insurance

Question 6

Why might multiple loss-prevention tools and loss-reduction tools be employed to control a specific loss event?

Answer 6

In recognition of the fact that events are the result of multiple causes and have multiple effects

Question 7

How do loss-prevention and loss-reduction tools help orgs seize opportunities?

Answer 7

By protecting cash flows and therefore freeing up more case to exploit new tech, markets, etc.

Question 8

The four / five Ts of risk control are:

Answer 8

• Tolerate
• Treat
• Transfer
• Terminate
• Take the opportunity

Question 9

The five Ts of risk control - Tolerate (4)

Answer 9

• Accepting a risk and taking no formal action to control it
• Often the selected route if the risk exposure is within risk appetite
• Risk may be tolerated if necessary controls are too expensive or impractical
• Risk exposure should not be tolerated indefinitely, so toleration should be periodically reviewed and approved

Question 10

The five Ts of risk control - Treat (2)

Answer 10

• Actions taken to manipulate exposure, either to mitigate threats or exploit opportunities
• Includes loss-reduction or loss-prevention tools

Question 11

The five Ts of risk control - Transfer (3)

Answer 11

• Passing on the impact of loss events to a third party, by passing on:
  
  • the financial impacts; or
  • the financial and non-financial impact
• Financial impacts can be passed on via insurance providing indemnity (or equivalent)
• Financial and non-financial impacts can be passed on via a contract with a third party where third part will also provide the good or service (think outsourcing rather than doing in-house)

Question 12

The five Ts of risk control - Terminate (2)

Answer 12

• Action taken to stop activity that is creating exposure/s
• Serious decision as it means potentially passing up valuable opportunities that were taken in pursuit of objectives

Question 13

The five Ts of risk control - Take the opportunity (2)

Answer 13

• Option that may be chosen in respect of upside risks
• After taking an opportunity, important to use other controls to mitigate risks that taking opportunity brings

Question 14

4 areas within which risk controls can be categorised:

Answer 14

PCDD

• Preventive (loss-prevention)
• Corrective (loss-reduction)
• Directive - enforcing desirable outcomes (loss-prevention)
• Detective (loss-prevention)

Question 15

3 examples of preventive risk controls

Answer 15

• Staff training
• PPE
• Security arrangements

Question 16

3 examples of corrective risk controls

Answer 16

• Fire extinguishers
• Disciplinary procedures
• Data recovery procedures

Question 17

3 examples of directive risk controls

Answer 17

• Design and implementation of policies and procedures, such as on H&S
• Codes of conduct
• Assignment of roles and responsibilities

Question 18

3 examples of detective risk controls

Answer 18

• Fire and burglar alarms
• Internal audits and compliance reviews
• H&S inspections

Question 19

Other than preventive, corrective, directive, detective, a second way to categorise risks:

Answer 19

Formal - provide clear and tangible mechanism for control

Informal - social mechanisms of control

Question 20

3 examples of informal risk controls:

Answer 20

• Soft skills training
• Team building
• Tone and action from the top

Question 21

What do risk financing mechanisms help to do?

Answer 21

Fund the financial consequences of loss events

Question 22

4 Ts of risk control - Treat - Link to risk financing (2)

Answer 22

Mitigating impact of event by:

• Risk fin. employed to protect cashflows from fin. impacts by ensuring loss events do not affect ability to meet liabilities by maintaining sufficient cash surpluses
• Cash funds can be used to minimise disruption following loss event by replacing lost items/staff, etc.

Question 23

4 Ts of risk control - Tolerate - Link to risk financing

Answer 23

Loss events are more easily tolerable where finance is available pre-loss or can be obtained post-loss

Question 24

4 Ts of risk control - Transfer - Link to risk financing (2)

Answer 24

• Risk transfer usually involves financial element, such as paying for insurance
• Transfer of non-financial risk will typically decrease profit margin through outsourcing

Question 25

4 Ts of risk control - Terminate - Link to risk financing

Answer 25

- Redundancy / asset disposal costs - Associated risks with termination may need to be managed which will require finance - risks including losing market share & damaged reputation

Question 26

Retained risk financing refers to which 3 Ts?

Answer 26

Treating, tolerating or terminating ie. not transferring

Question 27

Funded vs unfunded retained risk-financing

Answer 27

Funded = allocating a pot of funds before a loss has to be financed Unfunded = relying on cash flows or unallocated capital

Question 28

Why might unfunded risk financing occur? (4)

Answer 28

- potential for loss even not identified (failure in risk identification) - full effects of loss event are not understood (failure in risk assessment) - failure in risk transfer (eg. refusal to pay out) - financial effects are small enough to not require funding

Question 29

2 options for when funded retained risk financing can be implemented:

Answer 29

- Pre-event - Post-event - usually employed if loss event has occurred but full effects are not yet known or fully realised

Question 30

2 examples of funded risk financing tools

Answer 30

- Allocated reserves - Contingency loans

Question 31

2 examples of unfunded risk financing tools

Answer 31

- Cash flows - Unallocated reserves

Question 32

5 areas where insurance may be sought in order to transfer risk

Answer 32

- Fire - Theft - Property damage - Professional indemnity - Fraud

Question 33

Insurance intermediaries / Insurance brokers will typically be used by orgs to: (3)

Answer 33

- Design insurance program - Purchase insurance - Process insurance claims *this could be carried out by risk function, with CoSec involvement

Question 34

Deductibles re. insurance cover: (3)

Answer 34

- Orgs rarely purchase full indemnity insurance cover - Insurance is cheaper if org pays a deductible, being a set initial amount for a loss that is incurred - The higher the deductible, the cheaper the insurance

Question 35

Why might an org seek a different method of risk transfer than insurance? (2)

Answer 35

- Insurance is unavailable - Insurance is too expensive

Question 36

3 non-conventional (not insurance) risk transfer tools:

Answer 36

- Finite risk insurance - Catastrophe bonds - Credit default swaps *fine that I do not know what these mean

Question 37

Which 2 areas of control should be put in place to control major loss events (crisis events)?

Answer 37

- Crisis management - Business continuity planning

Question 38

4 examples of crisis events

Answer 38

- Major fires - Chemical spills - Death or injury of people - Prolonged tech systems failures

Question 39

Considering crisis events are very rare, how might an org plan to identify, assess, monitor and control them? (2)

Answer 39

- Using information on crises experienced by other organisations - Scenario analysis with input from relevant experts

Question 40

5 stages in control of a crisis event:

Answer 40

- Signal detection - looking for early warning signs - Preparation and prevention - preparing for occurrence or prevention through controlling causes - Containment and damage control - limiting adverse effects of event - Business recovery - recovery arrangements can reduce time taken to recover from crisis - Learning from the crisis - if org recovers, imperative that lessons are learnt to help in future

Question 41

How might the adverse affects of a crisis event be limited (4)

Answer 41

- Business continuity plans - Communication with stakeholders - Working with emergency services - Implementing a public-relations plan`

Question 42

Examples of business recovery arrangements that may reduce recovery time: (2)

Answer 42

- Quickly replacing lost assets - Ensuring funds are available to support recovery

Question 43

Which two stages of crisis event control will business continuity planning support?

Answer 43

- Containment and damage control - Business recovery

Question 44

Business continuity plans: (X)

Answer 44

- Most commonly produced for specific functions, systems or premises (but can be for whole org) - Outlines actions to be taken to minimise disruption and recover quickly from crisis event - Explains roles and responsibilities of key individuals in plan - Should be tested, usually annually - either desk-based review or an artificial 'live' test

Question 45

When should an org look to control third-party risks?

Answer 45

When entering into service contracts, such as for energy supply, cleaning and waste collection, etc.

Question 46

3 key types of third-party risks:

Answer 46

- Failure of service provide to provide acceptable quality of service - Disruptions to continuity of service - Failure of provider (such as bankruptcy) which halts provision