Risk Management Flashcards
Known Unknowns and Unknown Unknowns
Known unknowns are uncertainties that we know exist but we don’t know much about their probability or impact.
Unknown unknowns are risks that we don’t know exist. They are the events that “blindside” an organization (or individuals or entire cultures).
Kaplan & Mikes Categories of Risk
Internal and Preventable- come from within the org and can include violations of ethics and failures in routine processes
External- Outside the org and beyond its control. Include changes in economy or laws & regulations, disruptive tech, and availability of trained employees.
Strategy- Strategic cost/benefit. Ie. uncertainty as to whether loans an be repaid, employees will be productive, resource shortages, projects might fail.
Enterprise Risk
Strategic—risks that affect the organization’s ability to achieve its objectives
Operational—risks that affect the myriad ways in which the organization creates value
Financial—risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition
Hazard—risks that have the potential to cause physical harm to property or people (for example, an illness or injury) in the immediate and long term
ISO Organizational Framework to support risk-aware, risk-intelligent cultures
Management commitment
Design of a framework for managing risk
Implementing risk management
Periodic monitoring and review of the framework
Continual improvement of the framework
Risk Management Process
- Establish the context of risk
- Identify and analyze risks
- Manage Risks
- Evaluate
Risk Position
the organization’s desired gain or acceptable loss in value.
Risk appetite/tolerance
the amount of uncertainty the organization is willing to pursue or to accept to attain its risk management goals.
Factor influencing Risk tolerance/appetite
- Orgs strategic goals
- Orgs characteristic attitude towards risk
- Orgs resources or risk capacity
- Externally imposed requirements
- Loss expectancy
- Single Loss Expectancy (SLE)- the expected monetary loss every time a risk occur- SLE=Asset Value x exposure factor
- Annualized loss expectancy (ALE)- the expected monetary loss for an asset due to a risk over a one-year period. ALE= SLE x Annualized rate of occurrence (ARO)E
Examples of misaligned risks:
Moral Hazard- exists when one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss
Principal-agent Problem- when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal.
Conflict of Interest- when a person or organization has the potential to be influenced by two opposing sets of incentives, is exemplified in both moral hazard and the principal-agent dilemma.
MECE
Mutually exclusive and comprehensively exhausted
(Risk Identification)
Methods to understand risks
Consulting experts and information sources
Focus groups and individual interviews
Surveys
Process Analysis
Direct Observation
Risk Equation
Risk Level=Probability of occurrence x magnitude of impact
PAPA
Prepare- events are not likely to happen but will materialize quickly if they do occur. That means contingency plans must be in place and early indicators defined.
Act- events are both highly probable and fast-moving
Park - events are slow-moving and unlikely.
Adapt- events are actually slowly materializing trends that may affect the organization significantly
Risk Scorecard
A risk scorecard starts by identifying the event or threat. After factoring in the event/threat probability, speed of onset, existing mitigation, and severity of the impact, the user will see a final number that displays a weighted threat ranking index.
KRI (Key Risk Indicators)
Are important metrics or predictors that provide an early warning signal of an organization’s increased or increasing risk exposure.
KRIs are strategically aligned with key initiatives or strategic objectives, and they are developed by considering the root causes of risks and intermediate events that may signal changes