Risk-management in practice

Question 1

4 common applications of risk-man which each have their own sub-discipline:

Answer 1

• Operational risk-man
• Cyber risk-man
• Project risk-man
• Supply-chain risk-man

Question 2

Key consideration if specialists are employed (internally or as consultants) for each of the 4 sub-disciplines of risk-man

Answer 2

Care must be taken to avoid silo-based approach

Question 3

Which organisations have operations?

Answer 3

All of them
Either very visible, such as manufacturing orgs
Or less visible, such as in professional services (operation is to provide the service)

Question 4

What is the biggest source of operational risk? Why?

Answer 4

People - required to control operations and carry out manual tasks, and can make mistakes, act negligently, or be absent

Question 5

Examples of operational loss events: (8)

Answer 5

• Absence or loss of employees
• Employee negligence or misconduct
• Fire
• Human error
• IT systems failure
• Machine breakdown
• Power failure
• Weather related damage

Question 6

Potential adverse effects of operational risk: (6)

Answer 6

• Increased costs
• Reduction in efficiency
• Business interruption
• Customer complaints
• Reputation damage
• Compliance breach

Question 7

What is operational risk-man concerned with?

Answer 7

Reducing the probability and impact of operations-related loss events

Question 8

Key individuals / groups within an org responsible for management of operational risk: (2) and how

Answer 8

• All employees and managers - they are carrying out the operations, and are expected to do so with due skill, care and diligence
• Operational risk manager - support management of risk by putting together reports, developing tools to asses exposure and to ensure controls are effective

Question 9

Which organisations are exposed to cyber risk?

Answer 9

Any organisation which uses IT equipment and systems, the internet, etc.

Question 10

What is cyber risk-man concerned with?

Answer 10

All forms of digital risk

Question 11

Which area of cyber risk has been traditional focus?

Answer 11

Information assurance

Question 12

What is information assurance?

Answer 12

The practice of assuring that an org’s information and technical resources are:
- scarce
- only accessible to authorised personnel
- used only for intended purposes
- complete and intact

Question 13

5 areas into which information assurance is broken down: (with brief description)

Answer 13

Integrity - information assets are accurate and complete

Availability - info assets are available when needed

Authenticity - info assets are genuine and sources are valid

Non-repudiation - transactions and communications of info assets are valid and undeniable

Confidentiality - only those who have right to access info assets can access them

Question 14

3 cyber risk factors/areas (other than re. information assurance) and an example loss event for each

Answer 14

Reputation - employee using social media in embarrassing or litigious manner

Recruitment - prejudging suitability of potential new recruits based on social medias

Productivity of operations - network failures

Question 15

5 types of controls for cyber risk-man: (with brief description)

Answer 15

Technical controls - system-based safeguards such as malware protection, firewalls

Physical controls - physical prevention of unauthorised access

Procedural controls - acceptable-use policies, effective risk assessments and auditing

People controls - effective recruitment practices and training

Legal controls - ensuring compliance with legislation, including data protection

Question 16

Key individuals / groups within an org responsible for management of cyber risk: (2) and how

Answer 16

• All employees and managers - they are using the tech, and need to ensure they comply with policy and report potential risk events
• Risk function or other specialist functions - supporting employees with above

Question 17

What is project risk-man concerned with?

Answer 17

Planning and co-ordinating the work of a team of people to achieve specific goals

Question 18

Projects: (3)

Answer 18

• Are temporary endeavours, but the changes that they bring may be permanent
• Are conducted within a range of constraints, including financial, time and quality constraints
• Can be complex, requiring co-ordination of different resources, skills, knowledge and expertise, all of which are subject to a range of risks

Question 19

5 examples of projects within orgs: and example of loss event for each

Answer 19

• Designing and implementing a new IT system - may be unreliable or require extensive manual workarounds
• Moving or refurbishing a work site - may prove unsuitable to employee needs
• Launching a new product - may have design flaws or be unreliable
• Merging with another org - culture clashes
• Setting up a new subsidiary in a new location or market - may not meet the needs of customers

Question 20

What is PRINCE2 ?

Answer 20

A formal methodology for managing projects, including associated risks

Question 21

Seven principles of PRINCE2

Answer 21

• Projects must have a business justification
• Project teams should learn from xp at every stage, to improve future performance
• Roles and responsibilities are clearly defined
• Work in planned stages by breaking projects up into phases
• Boards oversee projects, but project managers are generally in control
• Team focus on quality to ensure objectives are met in full
• Project-man and risk-man approaches are tailored to meet needs of org and project

Question 22

What is a supply chain?

Answer 22

A network of organisations and people that work together to produce and distribute a good or service

Question 23

Supply-chain risk-man is concerned with:

Answer 23

identifying, assessing, monitoring and controlling supply-chain risks to maintain continuity, quality and affordability of upstream supplies

Question 24

5 causes of supply-chain loss events

Answer 24

• Bankruptcy of a supplier (or other crisis)
• Human error
• Weather events (snow or flooding)
• Financial risks affecting costs and prices
• Socio-political risks affecting supply

Question 25

5 examples of supply chain loss-events

Answer 25

- Reputation events (if supplier is behaving unethically) - Late or non-delivery of goods - Increase in costs - Payment or legal disputes with suppliers - Environmental risks due to pollution in supply process

Question 26

2 key issues necessary for supply-chain risk-man

Answer 26

- Developing a detailed understanding of the complete supply-chain network and the processes that connect each of the orgs and people within the network - Developing a detailed understanding of risk-man, internal control, governance and compliance arrangements of upstream and downstream orgs

Question 27

Why is developing a detailed understanding of risk-man, internal control, governance and compliance arrangements of upstream and downstream orgs important? (3)

Answer 27

- Understanding effectiveness and each org's ability to manage loss events that could disrupt supply chain - Ensure each org's internal control and gov arrangements do not expose other to compliance risk - Ensure each org's environmental management and H&S management do not expose other to reputation risk

Question 28

CSR (2)

Answer 28

- Connected to compliance, but concerned with exceeding minimum legal and regulatory requirements - Related to areas such as human rights and protecting vulnerable third parties and communities

Question 29

4 examples of CSR activities

Answer 29

- Philanthropy - donating money to charities - Providing free or subsidised services to employees and their families - Providing time off for employees to volunteer - Providing free or subsidised goods to low income customers/clients

Question 30

CSR link to sustainability

Answer 30

Focus of CSR is social Sustainability adds environmental and financial elements (triple bottom line of 'People', 'Planet', 'Profit')

Question 31

4 examples of sustainability initiatives

Answer 31

- Fair trade initiatives - Closed-loop supply chains that minimise waste and reuse/recycle products - Proactive reduction of carbon footprint - Production changes to reduce pollution

Question 32

3 ways in which effective CSR and sustainability require risk-man

Answer 32

- All 3 aim to create stakeholder value over longer term - Risk-man tools and techniques are essential when addressing H&S and environmental issues - Reputation risk will be suffered if org's claiming to implement CSR and sustainability issues face related loss events in these areas

Question 33

Sustainability risk-management (SRM) (2)

Answer 33

- Emerging discipline in some orgs - Uses conventional risk-man tools and techniques to asses and control risks that may effect financial, social or environmental sustainability of an org

Question 34

Information which orgs are required to report to regulators may include: (5)

Answer 34

- Information on org and directors - Staff salaries - Financial accounts - Major risks and their management - Pollution and H&S incidents

Question 35

3 risk events orgs are exposed to re. providing reports to regulators

Answer 35

- Missed reporting deadlines - Providing incomplete reports - Providing complete reports containing errors

Question 36

5 basic activities in regulatory reporting process

Answer 36

- Understanding and implementing the regulatory reporting requirements - Fulfilling specific regulatory reporting requirements - Managing risk of process failure - Managing reputation and fin. impact of reporting risk events - Managing legal and resource requirements

Question 37

7 groups within org with key roles in regulatory reporting:

Answer 37

- CoSec and other gov profs - Compliance function - Finance function - H&S function - IT function - Risk function - Other functions from across org

Question 38

Regulatory reporting - CoSec and gov profs (2)

Answer 38

- Reporting requirements re. confirmation statements, director changes, articles of association, etc., which bring risks of reporting delays, errors, omissions - In some SMEs, the CoSec or gov prof may have additional responses usually taken on by specific functions

Question 39

Regulatory reporting - Compliance function (2)

Answer 39

- May have responsibility for producing some or all required regulatory reports or - May oversee reporting activities of other functions within org to ensure compliance risks are managed appropriately

Question 40

Regulatory reporting - Finance function (2)

Answer 40

- Key role to play in producing reports on accounting or other financial info - This may include providing additional financial info such as assessment of adequacy of financial resources in relation to risk exposures

Question 41

Regulatory reporting - H&S function (2)

Answer 41

- May be responsible for all H&S related reports - This will include reporting on more serious incidents, such as serious injury or death

Question 42

Regulatory reporting - IT function (2)

Answer 42

- May be responsible to report on any IT security breaches as part of requirement to report any risk events affecting financial viability of org or ability to meet stakeholder expectations - Direct communication between IT function and regulators is reducing, as increased requirements have meant employment of chief information security office (or equivalent) is common

Question 43

Regulatory reporting - Risk function (2)

Answer 43

- May be involved in producing some or all of the reg reports that have a risk element, such as H&S and data protection - Will usually work with finance function in fin. services, and compliance function

Question 44

Regulatory reporting - Functions from across the wider org

Answer 44

Other functions have responsibilities for producing and supplying information for reg reports, but not collating or delivering these reports