Risk Management Flashcards
Annualized loss expectancy (ALE)
Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.
Conflict of Interest
Situation in which a person or organization may benefit from undue influence due to involvement in outside activities, relationships, or investments that conflict with or have an impact on the employment relationship or its outcomes.
Contingency plan
Protocol that an organization implements when an
identified risk event occurs.
Duty of care
Principle that organizations should take all steps that
are reasonably possible to ensure the health, safety,
and well-being of employees and protect them from
foreseeable injury.
Hazard
Potential for harm, often associated with a condition or
activity that, if left uncontrolled, can result in injury or
illness.
Key risk indicators (KRIs)
Metrics that provide an early signal of increasing risk
exposures for an enterprise.
Moral hazard
Situation in which one party engages in risky behavior
knowing that it is protected against the risk because
another party will incur any resulting loss.
Principal-agent problem
Situation in which an agent (for example, an employee)
makes decisions for a principal (for example, an
employer) potentially on the basis of personal incentives
that may not be aligned with the principal’s incentives.
Residual risk
Amount of uncertainty that remains after all risk
management efforts have been exhausted.
Risk
Uncertainty that has an effect on an objective, where
outcomes may include opportunities, losses, and threats.
Risk appetite
A high-level characterization of the amount of uncertainty
(acceptable risk) an organization is willing to pursue or to
accept to attain its risk management goals.
Risk control
Action taken to manage a risk.
Risk management
System for identifying, evaluating, and controlling actual
and potential risks to an organization.
Risk position
Organization’s desired gain or acceptable loss in value.
Risk scorecard
Tool used to gather individual assessments of various
characteristics of risk (for example, frequency of
occurrence; degree of impact, loss, or gain for the
organization; degree of efficacy of current controls).
Risk tolerance
A characterization of the amount of uncertainty
(acceptable risk) an organization is willing to pursue or to
accept to attain its risk management goals, defined in a
range above and below a target.
Single loss expectancy (SLE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
Whistleblowing
Reporting of an organization’s violations of policies and
processes by employees.
Which risk category would include the risk posed by infectious disease?
Hazard
Financial
Strategic
Operational
Hazard
The hazard risk category includes risk sources from injury and illness. Infectious disease would fall under this risk category.
Which evaluation method is best for an emergency response plan?
Comparing the plan to the previous plan
Asking for insurance company input
Conducting a crisis drill
Having a government agency review the plan
Conducting a crisis drill
A simulated crisis in which the plan is tested will alert the company to changes that need to be made and is the best way to see how the plan performs.
Which option best defines risk?
Quantifiable and enterprise-wide picture of organization loss exposure.
Negative impact an event can exert on an organization’s well-being
Organization’s vulnerabilities from an enterprise perspective
Effect of uncertainty on the ability to meet organization objectives.
Effect of uncertainty on the ability to meet organization objectives.
The ISO definition of risk is simply “the effect of uncertainty on objectives.” Uncertainty can be positive or negative in its effects. The other choices emphasize negative risk or assessments of risk occurrence.
An employee’s ex-husband waits outside her place of work. When she emerges, he begins yelling. She retreats inside the building. The husband attempts to follow but is prevented by a door that locks automatically behind the employee. An HR staff member observes the incident. What action should the staff member take?
Answers
Call for immediate revision of the organization’s security policies.
Recommend that those involved debrief the incident.
Write a memo to the HR head, documenting the incident.
None. The security measures worked as intended.
Recommend that those involved debrief the incident.
After-action debriefs are a good way to examine the effectiveness of a specific risk response strategy, presenting an opportunity for learning and improvement.
Which situation that leads to workplace violence can be controlled by an organization?
Answers
Domestic problems
Pressure for increased productivity
Low employee self-esteem
Unstable economy
Pressure for increased productivity.
Conditions causing employee frustration and anger can lead to violence. Examples include pressure for productivity, rigid management style, and layoffs.
What is the appropriate role for an HR manager in an investigatory interview for a dischargeable offense?
Answers
Champion of employee’s perspective and position
Prosecutor presenting evidence and challenging the employee
Risk manager for the organization
Supporter for manager/supervisor of involved department
Risk manager for the organization.
In this situation, the role of HR is to be proactive and manage the legal and physical safety risks to the organization. HR managers must be aware of the need to ensure due process to employees and to provide a safe work environment for all employees. HR should not take a prosecutorial or defense role; the organization should approach the situation and the evidence objectively and calmly.
What phase of risk management is represented in the acronym MECE, which stands for “mutually exclusive and comprehensively exhaustive”?
Answers
Risk-averse
Risk management
Risk identification
Risk mitigation
Risk identification
The organization wants to be confident that all plausible risks for strategic and oeprational aspects of the business avoid duplication or overlapping in the identification step.
Which best identifies the outcome of requiring all employees to be trained in business continuity and disaster recovery plans?
Decreased size of risk management budgets
Decreased risk of occurrence of risk events
Increased risk of poor public relations
Increased confidence among organization shareholders
Increased confidence among organization shareholders.
Preparation for crises and business interruptions demonstrates quality management practices and would boost stakeholder confidence and public image. It would not affect the likelihood of occurrence, nor would it decrease risk management budgets.
How is a risk control best understood by an organization?
Answers
Sharing a risk’s occurrence or impact and its likelihood
Indicating what triggers a specific risk management response
Restricting the amount of risk the organization assumes in its dealings
Ensuring that employees are following risk management guidelines
Sharing a risk’s occurrence or impact and its likelihood
A risk control is an action taken to manage a risk: to enhance the potential of an upside risk or to decrease the potential negative effects of a downside risk.
Management decides that training supervisors to identify and prevent bullying is not necessary, and they do not fund a program budget. What does this illustrate?
Answers
Organization’s risk tolerance
Risk avoidance management strategy
Precedence of global standardization in the organization
Poor governance
Organization’s risk tolerance
Management has decided that it is willing to accept the risk that bullying will occur and possible organizational costs. This is an example of an organization’s risk tolerance, the amount of unmanaged risk that management is willing to accept.
An organization examines the level of probability for all types of losses to which it may be exposed. What aspect of risk is the organization studying?
Answers
Mitigation planning
Impact
Vulnerability
Risk tolerance
Vulnerability
Vulnerability refers to the degree of probability that a loss will occur. Impact is the possible effect on the organization, and tolerance is the amount of risk the organization can handle if an event occurs. Mitigation planning occurs after analysis of probability, risk, and speed of onset.
In terms of risk management, what is a risk control?
Answers
Contingency plan to be implemented in the event of a crisis
Mechanism to collect data for reporting to management
Measure taken to reduce the probability or severity of a threat
System to prevent the occurrence of a risk
Measure taken to reduce the probability or severity of a threat
In risk management terminology, the most inclusive answer here is that a risk control is any measure that modifies risk by decreasing the likelihood that a risk event will occur or the impact that the event would have on the organization.
How often should an organization review the components of its enterprise risk management framework?
Answers
Only if a major incident has occurred
At an agreed-upon and regular interval
Every three years
When a new strategy is developed
At an agreed-upon and regular interval
Components of an organization’s risk management framework should be reviewed at an agreed-upon and regular interval as well as after major incidents.
To meet a safety goal, an organization provided training to employees. The number of injuries, however, has not decreased over the last three years. What should the HR training manager do?
Answers
Require all employees to attend the training.
Hire an outside consultant to provide the training.
Develop new training content.
Evaluate and adjust the training.
Evaluate and adjust the training.
Evaluating the training will allow the company to identify whether the issue is with the training or the people, and adjustments can be made accordingly. Developing new content or hiring an outside consultant without evaluating the training could be a waste of time and resources. Making the training mandatory doesn’t help if the training is ineffective.
A risk scorecard provides a weighted number for each event or threat and the probability of that threat occurring. Which other factors are needed to complete a threat ranking index?
Answers
Speed of onset, existing mitigation, and severity of impact
Risk category, classification, and reporting requirements
Risk level, impact, and the probability of event occurrence
Known knowns, known unknowns, and unknown unknowns
Speed of onset, existing mitigation, and severity of impact
A risk scorecard starts by identifying the event or threat. After factoring in the event/threat probability, speed of onset, existing mitigation, and severity of the impact, the user will see a final number that displays a weighted threat ranking index. Risk level, impact, and the probability of event occurrence are components of a risk matrix that visually demonstrates risk levels. Risk category, classification, and reporting requirements may be documented in a risk register but are not used in scoring. Known knowns, known unknowns, and unknown unknowns are categories of risk from the perspective of the amount and kinds of knowledge available when evaluating the risk.
A mining company has had a safety program in place for over ten years. It has been effective in decreasing accidents and injuries. What should HR recommend?
Answers
Review the technology used in the program to see if newer, more effective technology is now available.
End the program and develop an entirely new program. Ten years is too long.
Leave the program as it is, since it appears to be effective.
Consider scaling the program back, since it has apparently changed employee behavior and created a safer workplace.
Review the technology used in the program to see if newer, more effective technology is now available.
Changes in technology may mean that the organization could be better able to detect and deter threats. However, that doesn’t mean that the organization should start from scratch with a new program. HR should work to assess the program and look for opportunities for continuous improvement.
Which is the most appropriate example of risk mitigation?
Answers
Requiring criminal background checks for applicants
Training interviewers about proper questions to ask during hiring interviews
Implementing an emergency communication system for assignees
Requiring vaccination programs for assignees
Implementing an emergency communication system for assignees
A risk mitigation strategy seeks to reduce the negative impact of an event. A communication system cannot prevent crises, but it can decrease stress and reduce assignees’ exposure to threats.
What are the primary categories of barriers to effective risk management?
Answers
Time, money, and resources
Location, personnel, and equipment
Structural, cognitive, and cultural
Opportunities, threats, and weaknesses
Structural, cognitive, and cultural
The primary categories of barriers to effective risk management are structural, cognitive, and cultural. An organization’s structure, willingness to change, and values will impact its willingness to engage in risk management. Time, money, and resources and location, personnel, and equipment may be impacted by risk management efforts, but they don’t drive those efforts. Similarly, opportunities, threats, and weaknesses may be part of what the organization looks at as part of its risk management efforts, but they don’t drive those efforts.
What is a good example of an upside risk?
Answers
An organization is a vendor’s first major customer for a leading-edge technology system.
A technician proves highly skilled, invaluable, and irreplaceable.
Union demands for wages, benefits, and work conditions are unrealistic.
A team finishes its project two weeks ahead of the schedule.
A team finishes its project two weeks ahead of the schedule.
An upside risk is an opportunity that arises out of uncertainty about outcomes. Completion date is uncertain, but early project completion is an opportunity: an uncertainty that has a positive outcome.
What is the primary purpose of a safety self-audit?
Answers
To eliminate unsafe acts and environmental factors in the company
To ensure employee compliance with the organization’s safety programs
To identify roles and responsibilities in the event of an industrial accident
To lower workers’ compensation insurance premiums for the company
To ensure employee compliance with the organization’s safety programs
A safety self-audit is conducted by an employer to assure the organization that employees are following safety-related policies and procedures. Workers’ compensation premiums are most directly affected by an organization’s rate of injuries. Being prepared to handle an emergency is a good practice, but it is more related to procedures and training than to an audit. An audit can only capture evidence of compliance or noncompliance. Compliance alone, especially if policies and training are faulty, will not eliminate unsafe acts.
Which method is most effective for controlling hazards and their negative consequences?
Answers
Control the hazard by enclosing or guarding it at its source.
Require protective equipment to shield personnel against the hazard.
Abate and eliminate the hazard from the workplace.
Train personnel on awareness and safety procedures to avoid it.
Abate and eliminate the hazard from the workplace.
The most effective way to control hazards and their consequences is to engineer them out of the workplace. For example, a sawmill may design the cutting process so that the level of sawdust is acceptable.
How does duty of care translate to an organization’s responsibilities?
Answers
Taking all steps reasonable to ensure employee health and safety
Complying with all local health and safety requirements
Providing health benefits to all of its employees and their families
Managing risks to employees on assignment
Taking all steps reasonable to ensure employee health and safety
Duty of care reflects an employer’s responsibility to take all steps reasonably possible to support employee health and safety and prevent harm, whether the employee is in the workplace or on a remote assignment. This may involve but is not restricted to providing access to health care and complying with regulatory requirements.
What is the role of HR when it comes to whistleblowing?
Answers
Seeking to prevent whistleblowing by any means necessary, including reassigning, retraining, or terminating employees found whistleblowing
Gathering, assessing, and categorizing complaints from whistleblowers and presenting them to upper-level management during annual review cycles
Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation
Working with mid-level managers to determine who is whistleblowing and seeking to ensure that the complaints are handled and withdrawn
Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation
HR should ensure that whistleblowing complaints reach upper-level management and should protect whistleblowers from retaliation by coworkers or managers. In some locations, whistleblowers are protected by law. HR should not seek to independently address whistleblowing complaints or encourage or engage in retaliation against whistleblowers.
The vice president of operations has asked the chief human resources officer (CHRO) to determine the risk levels across the organization’s three offices. With the help of the HR team, the CHRO conducts surveys, interviews, and focus groups to collect data. During which phase of the risk management process are these activities occurring?
Answers
Managing risks
Analyzing risks
Evaluating risks
Identifying risks
Identifying risks
The vice president of operations has asked the chief human resources officer (CHRO) to determine the risk levels across the organization’s three offices. With the help of the HR team, the CHRO conducts surveys, interviews, and focus groups to collect data. During which phase of the risk management process are these activities occurring?
The HR department is instructed to fill a critical management position as quickly as possible. Using multiple agencies will produce more candidates more quickly but will increase the cost by several times. Which critical input should HR seek before deciding how to proceed?
Answers
Job description for the ideal candidate
Desired applicant-to-hire ratio to indicate success
Risk tolerance of the organization
Networking connections and employee referrals
Risk tolerance of the organization
HR needs to know how management rates the level of risk in not filling this position quickly: their risk tolerance. This will help HR decide whether the increased cost of using multiple search firms is appropriate.
Risk
A broad set of factors, originating from both internal and external sources, that may impact business operations
Moral hazard
The alignment and balance between an organizations goals and associated risks is a necessary requirement for a sustainable business model.
Iinternational Organization for Standardization Standard 31000
ISO 31000 presented definitions related to risk, principles for organizations to follow in making themselves more resilient and capable of managing risk.
ISO definition of risk
The effect of uncertainty on objectives
Risk management
coordinated activities to direct and control an organization with regard to risk
What are the categories of risks
known unknowns and unknown unknowns and known knowns
What is a known known risk
Events that are to be expected and so involve little uncertainty
What is a known unknown risk
uncertainties that we know exist but we don’t know much about their probability or impact
What is an unknown unknown risk?
Risks that we don’t know exist
What are Kaplan and Mike’s risk categories
Internal and Preventable
External
Strategy
What is the Internal and Preventable risk category
These risks come from within the organization and could include violations of ethics and failure in routine processes.
What is the External Risk Category
These sources of uncertainty are outside the organization and beyond its control. They would include changes in the economy or laws and regulations, disruptive technologies, and availability of trained employees.
What is the strategy Risk Category
There are times when an organization is willing to take on a certain amount of risk when it commits to a strategy. For example, uncertainty as to whether loans can be repaid, employees will be fully productive, projects might fail, or resource shortages might occur. This willingness to accept risk is based on assessment of potential benefits that can be reaped from a successfully executed strategy.
What are the 4 categories of enterprise risk
Strategic
Operational
Financial
Hazard
What is strategic risk
Risks that affect the organization’s ability to achieve it’s objectives
What is Operational Risk?
Risks that affect the myriad of ways in which the organization creates valuew
What is Financial Risk?
Risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition.
What is Hazard Risks?
Risks that have the potential to cause physical harm to property or people in the immediate and long term.
What are the 3 barriers to risk management
Structural
Cognitive
Cultural
What is the structural barrier to risk management
An organizations structure can make it difficult to respond to risk and communication may be more difficult
What are the ISO 31000 Principles that an effective risk management program should have/do?
Create and protect value
Be an integral part of all organizational processes
Be part of decision making
Explicitly address uncertainty
Be systematic, structured, and timely
Be based on the best available information
Fit an organization’s risk and control environment
Take into account human and cultural factors
Be transparent and inclusive
Be dynamic, iterative, and responsive to change
Facilitate continual improvement of the organization
What are the 3 common examples of misaligned risks?
Moral Hazard
Principal-Agent Problem
Conflict of Interest
What is the risk equation?
A tool that is an attempt to quantify the amount of uncertainty a risk represents.
Risk level = Probability of occurrence x Magnitude of impact