Risk Management Flashcards
How does ISO define Risk?
The effect of uncertainty on objectives.
Risk is commonly seen as something negative, but it is neither positive or negative. It is POTENTIAL–what could happen.
Uncertainty can bring good suprises (opportunities=upside risk) and bad surprises (threats=downside risk)
Antifragility
The ability to not just withstand high-impact events but to improve and benefit from them.
How does ISO define Risk Management?
Coordinated activities to direct and control an orgz with regard to risk
Known Unknowns and Unknown Unknowns
- Known knowns: events that are to be expected
- Known unknowns: uncertainties that we know exist but we dont know much about their probablility or impact
- Unknown unknowns: risks that we dont know exist
Kaplan & Mike’s Categories
- Internal and Preventable: come from within the orgz (ethics violation)
- Strategy: uncertainty that the orgz willingly accepts when it commits to a strategy (loans repaid)
- External: outside the orgz and beyond its control (laws and regulations)
Enterprise Risk (Risk Categories in the HR Context)
- Strategy: risks that affect the orgz ability to achieve its objectives
- Operations: risks that affect the ways in which the orgz creates value
- Financial Reporting: risks that affect the accuracy of info about the orgz financial performance
- Compliance: risks associated with meeting the requirements of laws and regulations
Benefits of Handling Risk
- A systematic approach of risk levels and mgmt–align to the orgz strategy objectives
- A more effective response to risk
- A more consistent response
- Resources not wasted
- Interrelationship of risks across the orgz can be understood and managed.
3 Barriers of Handling Risk
- Structural: orgz that are silo tend to respond to risk in an operational rather than strategic manner
- Cognitive: mindset lacking imagination, or one of unreasonable optimism, resistance to change
- Cultural: poor alignment of the orgz culture; inadequate communication of the culture’s risk approach
ISO has described an orgz framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:
- Managment Commitment
- Design of a framework for managing risk
- Implementing risk management
- Periodic monitoring and review of the framework
- Continual improvement of the framework
Risk Management Process
- Establish the context of risk: what is the risk appetite?
- Identify and analyze risks: gather info to evaluate risk
- Manage risk: implement risk responses
- Evaluate: audit risk controls
Risk Position
The orgz desired gain or acceptable loss in value
Risk Appetite or Risk Tolerance
The amount of uncertainty the orgz is willing to pursue or to accept to attain its risk mgmt goals
Establish the Context of Risk (Step 1 in Risk Mgmt Process)
- Know internal and external sources of risk
- Define risk criteria
- risk position
- risk appetite - Consider potential for conflict of interest
- moral hazard
- principal-agent problem
Risk appetite and Tolerance are affected by other factors, including:
- The orgz strategic goals
- Attitude toward risk
- The orgz resources or risk capacity
- Externally imposed requirement
- Loss expectancy
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs.
It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:
SLE=AV*EF