Risk Management Flashcards

1
Q

How does ISO define Risk?

A

The effect of uncertainty on objectives.

Risk is commonly seen as something negative, but it is neither positive or negative. It is POTENTIAL–what could happen.

Uncertainty can bring good suprises (opportunities=upside risk) and bad surprises (threats=downside risk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Antifragility

A

The ability to not just withstand high-impact events but to improve and benefit from them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does ISO define Risk Management?

A

Coordinated activities to direct and control an orgz with regard to risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Known Unknowns and Unknown Unknowns

A
  1. Known knowns: events that are to be expected
  2. Known unknowns: uncertainties that we know exist but we dont know much about their probablility or impact
  3. Unknown unknowns: risks that we dont know exist
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Kaplan & Mike’s Categories

A
  1. Internal and Preventable: come from within the orgz (ethics violation)
  2. Strategy: uncertainty that the orgz willingly accepts when it commits to a strategy (loans repaid)
  3. External: outside the orgz and beyond its control (laws and regulations)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Enterprise Risk (Risk Categories in the HR Context)

A
  1. Strategy: risks that affect the orgz ability to achieve its objectives
  2. Operations: risks that affect the ways in which the orgz creates value
  3. Financial Reporting: risks that affect the accuracy of info about the orgz financial performance
  4. Compliance: risks associated with meeting the requirements of laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Benefits of Handling Risk

A
  1. A systematic approach of risk levels and mgmt–align to the orgz strategy objectives
  2. A more effective response to risk
  3. A more consistent response
  4. Resources not wasted
  5. Interrelationship of risks across the orgz can be understood and managed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3 Barriers of Handling Risk

A
  1. Structural: orgz that are silo tend to respond to risk in an operational rather than strategic manner
  2. Cognitive: mindset lacking imagination, or one of unreasonable optimism, resistance to change
  3. Cultural: poor alignment of the orgz culture; inadequate communication of the culture’s risk approach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ISO has described an orgz framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:

A
  1. Managment Commitment
  2. Design of a framework for managing risk
  3. Implementing risk management
  4. Periodic monitoring and review of the framework
  5. Continual improvement of the framework
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Management Process

A
  1. Establish the context of risk: what is the risk appetite?
  2. Identify and analyze risks: gather info to evaluate risk
  3. Manage risk: implement risk responses
  4. Evaluate: audit risk controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Position

A

The orgz desired gain or acceptable loss in value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Appetite or Risk Tolerance

A

The amount of uncertainty the orgz is willing to pursue or to accept to attain its risk mgmt goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Establish the Context of Risk (Step 1 in Risk Mgmt Process)

A
  1. Know internal and external sources of risk
  2. Define risk criteria
    - risk position
    - risk appetite
  3. Consider potential for conflict of interest
    - moral hazard
    - principal-agent problem
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk appetite and Tolerance are affected by other factors, including:

A
  1. The orgz strategic goals
  2. Attitude toward risk
  3. The orgz resources or risk capacity
  4. Externally imposed requirement
  5. Loss expectancy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Single Loss Expectancy (SLE)

A

The expected monetary loss every time a risk occurs.

It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:

SLE=AV*EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Annualized Loss Expectancy (ALE)

A

The expected monetary loss for an asset due to risk over a one year period.

It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:

ALE=SLE*ARO

17
Q

Moral Hazard

A

When one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss

18
Q

Principal-Agent Problem

A

An economic concept often associated with moral hazard in employment.

An agent (EE) takes actions on behalf of a principal (Employer) but has personal incentives that may not align with those of the principal.

19
Q

Risk Control

A

An action taken to manage a risk

20
Q

Identifying Risk (Step 2 in the Risk Mgmt Process)

A

The goal for this phase is represented in the acronym MECE, which stands for ‘mutually exclusive and comprehensively exhaustive’

AKA: the orgz wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business.

21
Q

Risk Level

A

Risk Level=Probability that it will occur*Impact

*Risk level can be quantified through risk scorecards or visualized in a risk matrix.

22
Q

Risk Scorecard

A

A tool used to gather individual assessments of various characteristics of risk.

  • How likley is the risk to occur
  • How quickly a risk would materialize if it occured
  • How well the orgz is currently prepared for a risk
  • Possible effects if the riskevent occurs
23
Q

Risk Matrix

A

A simple grid (horizontal axis= probability of occurnce) and (vertical axis= severity of the impact) on the orgz if the event occurs.

*Doesnt show the degree to which the orgz or function is currently protected against the threat

24
Q

PAPA Model

A

Prepare: events not likely to happen but will materialize quickly if they do

Act: events are both highly probable and fast moving

Park: events are slow moving and unlikely

Adapt: events are slowly materializing trends that may affect the orgz significantly

25
Q

Key Risk Indicators (KRIs)

A
  1. Metrics that provide an early signal of increasing risk exposures
  2. Are strategically aligned with strategic objectives
  3. Developed by considering the root causes of risks and intermediate events that may signal changes
  4. Ignoring alerts makes them ineffective and opens the orgz up to unnecessary risk
  5. Identifying KRIs puts an orgz in front of the risk it is trying to manage
26
Q

Risk Register

A

Lists information about and responsibility for managing specific risks

  • risk category
  • risk event
  • risk classification
  • KRIs
  • risk mgmt controls
  • risk owners
  • reporting requirements
27
Q

Risk Mgmt (Step 3 in the Risk Mgmt Process)

A

Upside Risk Mgmt Tacts

  • Optimize
  • Share
  • Enhance
  • Ignore

Approach

  • Eliminate Uncertainty
  • Redefine Onwership
  • Emloy levers to increase or decrease effect
  • Take no action

Downside Risk Mgmt Tactics

  • Avoid
  • Transfer
  • Mitigate
  • Accept
28
Q

Residual Risk

A

The amount of uncertainty that remains after all risk mgmt efforts have been exhausted

29
Q

As with all performance measurement, HRs risk mgmt performance targets should:

A
  1. Be strategically focused
  2. Combine activities and results
  3. Combine lagging and leading metrics
  4. Modify risks related to noncompliance
  5. Instilling risk mgmt principles in the orgz members and processes
30
Q

Contingency Plan

A

A protocol that an orgz implements when an identified risk event occurs.

*Emergency preparedness and business continuity require: Preparedness for forseen and unforseen events.

31
Q

Crisis Mgmt Planning and Readiness Process

A
  1. Identify and Manage Risk
  2. Develop crisis mgmt plan
  3. Train, test, drill
  4. Learn
  5. Evaluate and revise plans as needed

Also

  1. Activiate plans
  2. Recover, learn, improve
32
Q

Contingency Plans Include

A

Policies, Communication, Continuity, Evaluation, Training

33
Q

Types of Threats

A
  1. Security Threats: cyber threats, physical security
  2. Illness and Injury: physical, chemical, biological
  3. Drug Use: illegal or legal drugs or alcohol before/during/after working hours
34
Q

Evaluate (Step 4 in the Risk Mgmt Process)

A
  1. Increase transparency
  2. Confirm compliance
  3. Assess effectiveness of individual strategies
  4. Assess effectiveness of orgz risk mgmt framework
  5. Continually improve risk mgmt skills
35
Q

What is included in Evaluation

A

Conduct bebriefs and incident investigations

Facilitate and investigate whistleblowing charges (and prevent retaliation)

Conduct audits (health & safety, compliance, process)

36
Q

Quality Assurance and CI

A

Q&A: help ensure that work is performed according to standards

CI: orgz approaches to improve/maintain the quality of risk mgmt processes

  • Risk MGMT is not static; it is continuous activity.
  • QA and CI help an orgz remain vigilant