Risk-management in practice Flashcards
Risk-management process, tools, and techniques can be applied to different types of activities, including what? (6)
For the first 4, what are the 4 respective sub-disciplines?
Where specialists exist for discrete sub-disciplines, care must be taken to avoid what?
How can this be achieved?
- production operations
- management of technology systems and processes
- programme and project management
- supply change management
- corporate social responsibility (CSR) programmes
- regulatory reporting
(1) operations risk management
(2) cyber risk management
(3) project risk management
(4) supply chain risk management
Care must be taken to avoid a silo-based approach to RM
= One way to achieve this is to incorporate these sub-disciplines into an enterprise risk-management approach
OPERATIONS OR OPERATIONAL RISK-MANAGEMENT
Name 6 loss events that may impact operations.
Where loss events affect operations, 1 or more adverse effects may be experienced. Name 6.
- Loss of staff
- Employee misconduct/negligence
- Fire
- Human Error –
- IT or power Failure
- Weather related damages – could cause travel disruptions/inability to work/operate
- Where loss events affect operations, 1 or more adverse effects may be experienced:
(1) increased costs, e.g. repairing or replacing machinery
(2) reduction in operational efficiency
(3) business interruption, no delivery of goods and services
(4) Customer complaints
(5) reputational damage / media enquiries
(6) a compliance breach, e.g. injury or death of an employee or third party
OPERATIONS OR OPERATIONAL RISK-MANAGEMENT
Why does operational risk-management exist?
What are the 6 benefits for an organisation?
Who has responsibility for operations risk-management?
Who may be hired?
What may their role include? (4)
Operational RM exists to control the risks which may have an adverse effect on the operations of an organisation = it is concerned with reducing the probability and impact of operations related loss events and mitigating adverse effects
Benefits = (1) can help to prevent such risks and (2) reduce the impact of any loss events that occur = should help to (3) improve operational efficiency, (4) prevent any long-term disruption and (5) reduce costs = (6) adds value to the organisation and its stakeholders
All employees or managers have some degree of responsibility for the management of the risks associated with operations
There may be a more specialist operational risk manager to support the management of operational risks
(1) putting together risk reports, (2) develop tools, (3) assess probability and impact, and (4) ensure that operational risk control tools are effective
CYBER RISK-MANAGEMENT
What is cyber risk-management concerned with?
Cyber risk management traditionally falls within the field of what, which does what? (4)
Information assurance is broken down into what 5 areas?
= concerned with managing all forms of digital risk
Cyber risk management traditionally falls within the field of information assurance (IA), assuring that an organisation’s information and technical resources are:
* secure,
* only accessible to authorised personnel
* are used only for the purposes they are intended
* are complete and intact
IA is broken down into a number of distinct areas:
(1) Integrity: information assets are accurate and complete within an organisation
(2) Availability: information assets are available when needed
(3) Authenticity: information asses are genuine and their sources are valid
(4) Non-repudiation: transactions and comms of information assets are valid and cannot be denied
(5) Confidentiality: only those who have the right to access information assets can access them
CYBER RISK-MANAGEMENT
Name 6 common cyber related loss events.
As cyber technologies change, cyber risk management controls must develop to include both formal and informal controls. Name 5 controls.
Who has responsibility for cyber risk-management? (employees 3 responsibilities and who has oversight)
(1) Using social media to screen recruits – could lead to possible legal disputes
(2) Acts/views of employees – Use of social media to bully, harass, troll employees could lead to grievances and compensation claims
(3) Reputation – employees using social media in an embarrassing way
(4) Breaches of confidentiality - e.g., Employees using a social media platform to talk about clients or to share commercially sensitive information
(5) IT security – corruption of data as a result of hacking
(6) Privacy – corporate monitoring not disclosed to employee could lead to legal disputes/grievances
- Technical controls (formal): system-based safeguards such as encryption and firewalls.
- Physical controls: physical prevention of unauthorized access (secure server rooms locked up data backups), theft and fire protection.
- Procedural controls: acceptable use policies and business continuity planning.
- People controls (informal): effective recruitment practices, and proper training.
- Legal controls: ensure compliance with relevant legislation (data protection law) and controls to manage any legal issues that might result from employee misconduct,
All employees = ensuring that they comply with acceptable use policies, that they report potential hacking attacks and that they do not reveal sensitive information on social media. BUT oversight with IT team/risk function/HR/compliance
PROJECT RISK-MANAGEMENT
What are the 3 key risks associated with projects?
What is project managing?
What does project risk management ensure?
What practices standards for project risk management are there?
What is an alternative to PRINCE2, and what is the benefit?
- the project’s goals are not met (the desired changes are not implemented in full);
- the project’s goals are not met within the required time scale (the risk of a project over-run); and
- the costs associated with the project are higher than budgeted (the risk of over-spend).
Project management = the planning and coordinating of work of a team of people to achieve specific goals, within a specified time period, with limited resources.
Project risk management = ensures that project objectives are delivered on time and on budget = use a range of practices to identify, assess, monitor and control project risks to ensure the smooth progress of a project or programme
The Project Management Institute provides practical standards for project managers
Association for Project Management = Project Risk Analysis and Management Model (PRAM)
Benefit = risk is recognised as both and opportunity and threat
PROJECT RISK-MANAGEMENT
Ward provides a 9-phase process for managing risk within projects and programmes. What are the 9 steps?
Name 4 examples of common project risk-management tools.
- Define the scope of project and its constraints
- Focus on agreed RM objectives and processes
- Identify project threats and opportunities
- Structure risks according to their type, severity of exposure etc.
- Ownership = assign risk to owners according to type and severity
- Estimate = continue to eliminate risk exposures and track changes
- Evaluate project RM activities
- Plan = project plan and associated RM plans
- Manage = manage and control the project throughout its lifetime
Common tools include risk registers, risk reports of key risk indicators (KRIs) and key performance indicators (KPIs), project risk committees, and crisis management
PROJECT RISK-MANAGEMENT
What is the formal methodology for managing projects?
What are the 7 principles it is built on?
What is the benefit of the methodology?
Who is responsible for project risk-management?
PRINCE2
built on 7 principles:
1. Projects must have a business justification
2. Project teams should learn from experiences to improve future performance
3. clearly defined roles and responsibilities
4. Work in planned stages – break into phases
5. Project oversight boards of senior managers manage by exception
6. focus on quality – to ensure objectives are met
7. approaches are tailored to meet the needs of specific organisations and project
builds risk management into the management of a project from the beginning, if applied correctly incorporates Ward’s nine phases of project risk management.
Organisations may have internal or external specialist project risk managers = project management specialists
SUPPLY CHAIN RISK-MANAGEMENT
What is a supply chain?
What is an upstream supply chain?
What is a downstream supply chain?
Name 3 supply chain loss events.
Loss events may be caused by a variety of casual factors. Name 4 examples.
= a network of organisations and people that work together to produce a good or service, followed by distributing the good or service to the end client or consumer
An upstream supply chain ensures that the inputs required for an organisation to function are available, such as electricity, equipment, software or product components
A downstream supply chain ensures that an organisation can supply its goods and services to clients and consumers further down the chain towards the end consumer
supply chain loss events include:
(1) upstream suppliers are late delivering goods and services, do not deliver sufficient quality, or are unable to deliver;
(2) payment and other legal disputes with upstream suppliers and downstream clients and consumers; and
(3) the cost of upstream suppliers increases unexpectedly
In turn, these loss events may be caused by a variety of causal factors, including:
1. bankruptcy of an upstream supplier or a supplier experiencing a major crisis;
2. cyber risks such as hacking attacks;
3. human error;
4. Weather events = snow, flooding
SUPPLY CHAIN RISK-MANAGEMENT
What is supply chain risk-management concerned with?
What is the key issue of supply chain risk-management?
Supply chain risk-management requires what?
Why is this important? (3)
What helps a company understand the upstream and downstream risk management arrangements?
= concerned with identifying, assessing, monitoring and controlling supply chain risks.
Developing a detailed understanding of the complete supply chain network and the processes that connect each of the organisations and people within the network =
Problems can occur anywhere within a supply chain: unknown interdependencies can cause major problems
Developing a detailed understanding of the RM and related internal control, governance and compliance arrangements of upstream and downstream organisations that work within the chain
This is important for a number of reasons:
1. To understand the effectiveness of these arrangements and each organisation’s ability to manage loss events that could disrupt the supply chain.
- To ensure that each organisation’s internal control and governance arrangements are appropriate and do not expose others in the chain to compliance risk
- To ensure that each organisation’s environmental management and H&S management activities are appropriate and do not expose others in the chain to reputation risk
Due diligence and other third party risk controls like relationship management and contract management.
SUPPLY CHAIN RISK-MANAGEMENT
Name the case that shows how a very small and seemingly insignificant component in a supply chain can cause major disruption .
Case study = fire at one of Toyota’s supplier’s factory that threatened to halt production at Toyota for weeks
= Disaster was averted by working with other suppliers to produce the part
RISK-MANAGEMENT, CSR, AND SUSTAINABILITY
What is corporate social responsibility? (2)
What are the 4 categories of corporate social responsibility activities?
Name 3 examples of corporate social responsibility activities.
(1) = an activity connected with compliance, but aims to exceed the minimum requirements of laws and regulations
(2) = a form of self-regulatory mechanism that ensures an org/employees behave in a way that is ethical and consistent with national and international norms
Pet projects = sponsor an art exhibition
Philanthropy = large charity donations
Propaganda = focus on building organisation’s reputation
Partnerships = create significant shared value creation for organisation and society
Possible CSR Activities:
1. Providing subsidised services for employees and their families (e.g. health and education).
2. Marketing campaigns designed to change social attitudes towards human rights issues or the environment.
3. Providing free or subsidised goods and services to clients and customers on low incomes
RISK-MANAGEMENT, CSR, AND SUSTAINABILITY
What is sustainability?
What is the triple bottom line?
Name 4 examples of sustainability-related activities.
= an extension to CSR built around the principle of the ‘triple bottom line’.
The organisation should balance each of the following elements equally:
1. People: providing fair labour practices, including a living wage, safety and employment rights;
2. Planet: ensure global and local environment is not damaged by the organisation and its activities
3. Profit: delivering long-term economic value for all stakeholders
Sustainability-related activities include:
(1) fair trade initiatives
(2) supply chain selection processes that prioritise local suppliers and distributors wherever possible
(3) proactive reduction of the organisation’s own carbon footprint via recycling schemes, electric vehicles or the use of renewable energy
(4) moving to production processes that cause less ground, air or water pollution
RISK-MANAGEMENT, CSR, AND SUSTAINABILITY
The risk management of corporate social responsibility and sustainability is about what 2 things?
Why does effective corporate social responsibility and sustainability management require risk-management? (3)
RM of CSR and sustainability is about:
(1) Sharing the economic value created by organisations in a fair way across all relevant stakeholders
(2) minimising adverse consequences of an organisation’s economic activities (such as pollution or health and safety events)
Effective CSR and sustainability management requires RM for the following three reasons:
1. like CSR and sustainability, RM is a discipline for creating stakeholder value over the longer term
- RM tools and techniques are essential when addressing pollution or H&S issues
- an organisation that claims to implement CSR and sustainability initiatives may suffer from reputation risk where related loss events, such as pollution or employee injuries, suggest that these initiatives are implemented poorly
RISK-MANAGEMENT, CSR, AND SUSTAINABILITY
How can risk-management support an organisation’s CSR and sustainability objectives? (3)
RM can help to:
(A). protect the economic value that can be shared to all stakeholders though the prevention and mitigation of loss events
(B). identify, assess, monitor and control the risks arising from its economic activities, including pollution and health and safety events; and
(C). protect the reputation of the organisation, which might be damaged if the occurrences of loss events are linked to weaknesses in its CSR or sustainability management activities