Risk Management Concepts

Question 1

What is a risk?

Answer 1

• An uncertain and random event with only a likelihood that can be measured.
• May be value-destroying (negative) or value-creating (positive).
• Essential considerations for any organisation.

Question 2

How does an uncertainty differ from a risk?

Answer 2

1. Uncertainties are unquantifiable due to unpredictability of future event constraints.
2. Risks can be estimated with a degree of confidence using statistical methods. There is, however, inherent uncertainty in risk quantification, depending upon:
   - Risk model / assumptions used;
   - Data input / updating;
   - Competence / confidence.

Question 3

How does an uncertainty differ from a risk?

Answer 3

1. Uncertainties are unquantifiable due to unpredictability of future event constrains.
2. Risks can be estimated with a degree of confidence using statistical methods. There is, however, inherent uncertainty in risk quantification, depending upon:
   - Risk model / assumptions used;
   - Data input / updating;
   - Competence / confidence.

Question 4

What are examples of risks and uncertainties?

Answer 4

• Risk: Power failure or fires - may arise but risk and mitigations may be quantified and defined.
• Uncertainty: Product R&D; political change; reputation damage; cyber-attacks.

Question 5

How are risks and uncertainties linked?

Answer 5

• Risk used, as a term, if it is possible to assign an estimated probability and impact to relevant event.
• Uncertainty used, as a term, if there is no data to assign an estimated probability and impact to the relevant event. There are however, degrees of uncertainties.

Question 6

What is a risk event?

Answer 6

• Risk event = outcome that arises from a single decision or action that could result in more than one potential outcome. Every action in an organisation is technically a risk event.
• Risk events may be incorrectly term accidents - this is not true as not every risk event involves a negative outcome. Accidents may instead be characterised as loss events.
• A risk event may also comprise anticipated events that involve a greater positive or negative outcome than anticipated.
• Risk events may be classified as to type.

Question 7

What does the risk management cycle comprise?

Answer 7

1. Identification of risks - Concise establishment of (i) risk cause and (ii) possible effects.
2. Assessment of risks - With relevant stakeholder input, determination of (i) risk impact, (ii) likelihood of manifestation and (iii) prioritisation of risks.

Question 8

What is the relationship between risk probability, impact and exposure?

Answer 8

1. Probability = likelihood of risk.
2. Impact = level of consequences from risk.
3. Exposure = Probability * impact. E.g. $25m = $100m * 25%.

• Exposure is the measure of the probable future outcome resulting from a risk. RM therefore frequently focuses on the downside exposure by estimating potential loss arising.
• The relative exposures arising from identied risks can be input into a risk matrix (impact v. probability) to indicate the exposure. This is frequently achieved using a colour-coded R-A-G heat map, to indicate significance and possible risk priorities.

Question 9

What is the difference between a pure and speculative risk?

Answer 9

1. A pure risk may ONLY involve (i) neutral or (ii) negative outcomes - there is only uncertainty as to whether the LOSS OCCURS. Includes:
   - Injury;
   - Pollution;
   - Fires / floods;
   - IT failures.
2. A speculative risk may involve (i) POSITIVE, (ii) neutral or (iii) negative outcomes - there is uncertainty as to whether a PROFIT (financial or otherwise) OR LOSS OCCURS. Includes:
   - Business ventures;
   - Investment ventures;
   - Customer demand;
   - Market conditions.

Question 10

Explain the five risk types and what is mean by risk profile.

Answer 10

• PRINCIPAL RISK: Significant risks that may affect an organisation’s viability.
• INHERENT/GROSS RISK: Level of risk exposure with no risk controls applied.
• RESIDUAL/NET RISK: Level of risk exposure with risk controls applied.
• EMERGING RISK: Risks that do not yet affect an organisations but may become principal risks in future.
• TARGETED RISK: Desired level of risk exposure required to maintain position within organisational risk appetite.

=> RISK PROFILE therefore refers to the number, types and sizes of risks that an organisation is exposed to.

Question 11

What four categorisations does the Johari Window Model use to define risks and uncertainties?

Answer 11

1. Known, knowns - certainties.
2. Known, unknowns - acknowledged uncertainties.
3. Unknown, knowns - unacknowledged certainties.
4. Unknown, unknowns - uncertainties not yet known (black swans).

Risks may be characterised according to a risk taxonomy.

Question 12

What alternative risk classification methodologies exist?

Answer 12

1. Kaplan and Mikes posit three risk caterogies:
   - Preventable risks: Controllable internal organisation risks.
   - Strategy risks: Credit risk, R&D risk, M&A risk, market risk.
   - External risks: External risks beyond an organisation’s control - major political changes, war, natural disasters.
2. Orange Book 2020 Classification also posits three risk categories:
   - Business (commercial; strategy).
   - Financial.
   - Operational (governance; information; legal; operations; people; property; security).

Question 13

What seven subjective considerations may affect risk management?

Answer 13

1. Choice.
2. Control.
3. Familiarity.
4. Distance (temporal).
5. Media.
6. Randomness (acts of God).
7. Cognitive bias (groupthink; senior authority bias; status quo bias; myopia bias).