Risk Management Flashcards
What is risk?
The chance the there will be a variation in outcome from what is expected to happen. An event may come along that adversely affects the achievement and objectives.
What is opportunity?
The possibility that an event will occur and positively impact the achievement of objectives.
What is uncertainty?
The inability to predict outcomes due to a lack of info.
What is pure risk?
The chance something will go wrong.
What is speculative risk?
The chance something will go well - but it is still a risk.
What is business risk?
The risks businesses face.
What is financial risk?
A non-business risk - risk of change in fianncial conditions etc. Not controlled by things the business does but also controlled by things the business does - debts.
What is operational risk?
The risk that events can occur and the risk of disruption as a consequence.
What is strategy risk?
The risk you will implement the wrong strategy.
What is enterprise risk?
The risk that the enterprise will fail and so will the business.
What is product risk?
When customers do not buy the anticipated amount but you have planned for a different outcome. Left without enough.
What is economic risk?
The risk that comes from the fact that economic conditions can change unexpectedly.
What is property risk?
The risk that you may lose property due to accidents. Often links to the risks that come from natural disasters.
What are the stages of risk management?
Risk ID, Risk assessment, Risk response, Risk monitoring and reporting.
Risk ID and awareness includes what?
Identifying all possible risks and any possible losses because of them. Includes taking on external advisers, doing risk audits, PEST/SWOT analysis. Have to consider if they are new, could they be limited, in what areas could they arise.
Risk assessment and management includes what?
Identifying the nature and possible implications of a given risk.
How is risk measured?
Probability x impact
Identifies how likely it is the risk will have any impact. This allows you to work out any potential loss.
What is gross risk?
The potential loss associated with the risk, this is the name given to calculating the probabilty with the impact.
What is exposure?
How likely is it that the business will be exposed to any risk. Does it face serious or not serious risks.
What is volatility?
The measurement of the variability of the risk factor. Is it one that is always there or is it one that will potentially come out of no where.
How is risk categorised?
High likelihood but low impact.
high likelihood and high impact.
Low likelihood and low impact.
Low likelihood and high impact.
Depending on where they fall a company might just accept them as a risk.
There is a map which allows companies to decide how they control the risks.
What is risk response and control?
How you approach the risk impacts what you then do about. Do you rank It as serious or not.
What is a risk averse attitude?
A business that doesn’t take risk at all, almost to a detriment. They will go for the options that have a lower return for lower risk over an option with higher return but slightly more risk.
What is a risk neutral attitude?
They mainly focus on return and act accordingly. Everything is in line. They would choose investments based on return irrespective of risks.
What is a risk seeker attitude?
They would pick investments based on risk not return. Even if they can go for an option with a more guaranteed return and less risk they would still choose it.
What is the TARA model?
It provides a selection of potential responses to risk. Transfer/sharing Avoidance Reduction Acceptance and retention
What is risk sharing?
You transfer or share the risk with a third party. Often exists in an insurance context. overall the cost to you would wind up as less because someone else will bear some of it.
What is risk avoidance?
You do not undertake anything that carries risk. You lose any potential advantages as a consequence though.
What is risk reduction?
Doing activities that don’t get rid of the risk but they do limit it to an acceptable level. You then have to work to keep the risk at that level constantly. You have to have quite stringent control measures in place.
What is risk acceptance/retention?
You take the risk and tolerate the potential losses that come with it. This is often a last resort but often looking at risk this way ends up cheaper than the alternative.
What is risk monitoring?
You look at the current risk management controls and monitor whether they are working. You also measure them against the risks you now face (as risks are always subject to change).
What does the corporate governance code expect where risk is concerned?
Listed companies have to determine any risks they are willing to take to achieve their objectives and report risk management issues.
What must be noted when risks arise?
Was corrective action taken.
Was it a new risk or one previously identified.
Had the risk been planned for and if so why were the signs it was coming to fruition ignored.
How effective were any of the risk and response controls in place.
What is a crisis in terms of risk?
Anything that impacts the wellbeing of the business and its normal operations.
What are the three main types of crisis?
PR, strategy and finance
What are the two axes for understanding an organisations resilience?
Axis 1 - processes and functions exist to PROTECT the organisation.
Axis 2 - the way the organisation functions generally drives resilience at all times.
What does axis 1 include?
Having risk management and disaster recovery plans. Knowing where the risks could come from so that if they arise you can see them coming.
What does axis 2 include?
Creating strong relationships with all and instilling a strong sense of values in the behaviours of staff. Creating an environment that it would be harder for the product of risk to shake. Creating a flexible organisation environment that would be able to adapt and respond.
What reduces resilience?
Lack of expertise
Senior management not being involved enough
It not being woven in to the culture of the business
The tech not being well equipped enough
Not having robust approaches to things
What makes an organisation resilient?
Diversified resources
Strong internal and external network of relationships
Rapid and decisive responses to emerging crises
Constant self review and adaptation
How is resilience measured?
Compliance - with policy
Completeness - how well rounded is the policy
Value - how does the organisation itself measure these things
Capability - how has it tested how capable it is in itself
How can businesses ensure cyber resilience?
Having solid information security plans that would allow for prevention and recovery should a cyber threat arise
What are the two disaster recovery plans?
Short term - for minor breakdowns
Long term - for breakdowns that would be more serious with longer term implications
