Risk Management Flashcards
The ability to not just withstand high-impact events or shocks, but to improve and benefit from them
Antifragility
Designed to change the probability of a risk event occurring and/or the degree of its impact on the org’s objectives
Risk Management Strategies
Known Knowns (ISO)
Events to be expected, involve little uncertainty
Known Unknowns
Uncertainties we know exist, but don’t know about their probability or impact
Unknown Unknowns
Risks we don’t know exist - rare, major impact
Kaplan and Mike’s 3 risk categories
- Internal and preventable
- Strategy
- External
Components of Enterprise Risk
strategic, operational, financial, and hazards
Recognized as meeting the highest level of social responsibility, sustainability, and well-being of employees, communities, and environment
Certified B Corporations
3 Barriers to risk management
- Structural
- Cognitive
- Cultural
Steps of the Risk Management process
- Establish the context of the risk
- Identify and analyze risks
- Manage risks
- Evaluate
Risk Position
The org’s desired gain or acceptable loss in value, influenced by its risk appetite and risk tolerance
Single loss expectancy
Expected monetary loss every time a risk occurs
Annualized loss expectancy
Expected monetary loss over a 1-yr period
One party engages in risky behavior knowing it is protected because another party will incur any resulting loss
Moral Hazard
An agent makes decisions on behalf of a principal but has personal incentives not aligned with principal
Principal-Agent Problem
Person or org has potential to be influenced by two opposing incentives
Conflict of interest
Risk Control
Action taken to manage a risk
Mutually Exclusive and Comprehensively Exhaustive (MECE)
The org wants to be confident it has identified all plausible risks for all strategic and operational aspects, but wants to avoid duplication or overlapping identification
Orgs should take all possible steps to ensure health, safety, and well-being of employees and protect from foreseeable injury
Duty of Care
How an org can improve its understanding of broad risk
- consult experts and information sources
- focus groups and individual interviews
- surveys
- process analysis
- direct observation
Risk Equation
probability of occurrence x magnitude of impact
Risk Scorecard
Rating the expected probability, speed of onset, existing mitigation, and severity of impact on a 1-3 scale
Risk Matrix
plots risks on axis by impact and probability
PAPA model
Evaluates risks by speed of change and likelihood:
-Prepare
-Act
-Park
-Adapt
Predictions that provide early warning signal of an org’s increasing risk exposure
Key Risk Indicators
Lists info about and responsibility for managing specific risks
Risk Register
Tactics to eliminate uncertainty of a risk
Optimize or Avoid
Tactics to redefine ownership of a risk
Share or Transfer
Tactics to employ levers to increase or decrease a risk’s effect
Enhance or Mitigate
Tactics to take no action on a risk
Ignore or Accept
What must an org weigh in order to choose a risk management approach?
the costs of doing nothing against the costs of the response and level of confidence in the response
First step of implementing the Risk Management Plan
Defining risk management performance objectives
What do contingency plans address?
- policies
- evacuation/relocation
- communication
- training
- continuity
The best way to help employees learn the appropriate response to crisis situations, and to test the risk management plan
Simulations and drills
Acquire valuable info/data that can be used or sold to competitors
Espionage
Hindering an org’s ability to function properly by damaging equipment, IT capabilities, org reputation, or harming employees
Sabotage
Most important factor to consider for drug test policies
Federal and state law compliance
How to prevent group think
prioritize and gather facts before soliciting opinions
How to prevent normalization of deviance
pay attention to warning signs, ensure standards are taken seriously and deviance is addressed/remedied
How to prevent risk incubation
stress importance of planning for and prioritizing risks before they materialize
When should specific risk management programs be evaluated?
After every incident and and at regular agreed intervals
Meetings to determine the effectiveness of a risk response strategy
After-action debrief
Reporting of an org’s violation of policies and processes by employees
Whistleblowing
Conducts area safety inspections and evaluates hazards
Safety committee
The probability of a risk occurring
Vulnerability
How to best ensure a risk management plan has adequately prioritized and addressed the risk(s)
Examine the near misses
The amount of uncertainty that remains after all possible management strategies have been exhausted
Residual Risk
The amount of uncertainty an org is willing to accept to attain its goals
Risk Appetite
Activities in the ISO risk management process
Communication and consultation, monitoring and review
