Risk Management Flashcards
Protocol that an organization implements when an identified risk event occurs.
Contingency plan
A contingency plan is a protocol (predefined actions) that is activated when a risk event occurs, for example, activation of a severe weather work schedule.
Metrics that provide an early signal of increasing risk exposures for an enterprise.
Key risk indicators (KRIs)
*early warning signs/trends of things going in the wrong direction, not goals or end plan like KPIs
Amount of uncertainty an organization is willing to pursue or to accept to attain its risk management goals.
Risk tolerance/Risk appetite
Tool used to gather individual assessments of various characteristics of risk (e.g., frequency of occurrence; degree of impact, loss, or gain for the organization; degree of efficacy of current controls).
Risk scorecard

Principle that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury.
Duty of care

Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.
Annualized loss expectancy (ALE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
Single loss expectancy (SLE)
Action taken to manage a risk
Risk control
Situation in which one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.
Moral hazard
*think financial crisis of 2008-2009 (high loans from banks and irresponsible individual behavior)
Situation in which an agent (e.g., an employee) makes decisions for a principal (e.g., an employer) potentially on the basis of personal incentives that may not be aligned with the principal’s incentives.
Principal-agent problem
Organization’s desired gain or acceptable loss in value.
Risk position
*influenced by one’s risk tolerance/appetite
Amount of uncertainty that remains after all risk management efforts have been exhausted.
Residual risk
Reporting of an organization’s violations of policies and processes by employees.
Whistleblowing
Actions that aim at reducing the probability that a risk will occur or decreasing the negative impact it will have. Prevention is a form of this.
Risk mitigation
- Example: Workers operating dangerous machinery cannot exceed a set shift length.*
- By limiting the length of the work shift, the company mitigates the risk of accidents caused by fatigue and inattention. This is aimed at reducing the probability of the occurrence of accidents.*
A report examines what happened, why it happened, what was done at the time, and what could have been done better
After-action debrief
After-action debriefs are a good way to examine the effectiveness of a specific risk response strategy, presenting an opportunity for learning and improvement.
What happened, why did it happen, and what were the results of the event?
What did we do in response?
Did we follow the plan?
What were the results relative to the requirements for managing this risk?
What unexpected events (beneficial or harmful) occurred? What do they suggest about our current plan or process?
How well did we communicate with each other, with external agencies, and with employees?
What could we have done differently to improve our handling of this risk?
3 primary categories of barriers to effective risk management
Structural, cognitive, and cultural
An organization’s structure, willingness to change, and values will impact its willingness to engage in risk management.
Cognitive barriers to risk management relate to managers’ tendencies to rely on older perceptions of the risks they face and the most effective ways of managing them.
Risk management process

The ability to not just withstand high-impact events or shocks but to improve and benefit from them.
antifragility ~ Nassim Nicholas Taleb
*think of those successful entrepreneurs that ‘disrupt’ the industries
Standard 31000/ISO’s 11 principles for risk management
In 2009 the International Organization for Standardization (ISO) released Standard 31000, “Risk Management: Principles and Guidelines.” ISO 31000 presented definitions related to risk, principles for organizations to follow in making themselves more resilient and capable of managing risk, and a risk management process.

4 risk categories in HR
Strategy, operations, reporting and compliance
The problem arises when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal.
principal-agent problem (or agency dilemma)
A tool in which a simple grid in which the horizontal axis represents the probability that an event will occur and the vertical axis relates to the severity of the impact on the organization or function if the event occurs.
Risk Matrix

Name Kaplan & Mike’s 3 categories of risk
Internal & preventable
Strategy
External
5 steps in risk management approach
Management commitment
Design of a framework for managing risk
Implementing risk management
Periodic monitoring + reviewing of framework
Continual improvement of the framework
PAPA model

4 risk management tactics
Avoidance, reduction (mitigation), sharing (insurance) & retention (acceptance of risk consequences good or bad)
Crisis Management and Readiness Process

the reporting of an organization’s violations of policies and processes by employees, applies directly to risk management
Whistleblowing