RM QUIZ 2 (M4) Flashcards
- The overall process of risk identification, risk analysis and risk evaluation.
▪ It should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders, and should use the
best available information.
▪ Involves the recognition of risks and then rating them to determine the significant risks facing the organization, project or strategy.
RISK ASSESSMENT
▪ The purpose of _____ is to identify the SIGNIFICANT risks that could impact the corporate objectives, stakeholder expectations, core
processes and key dependencies.
risk assessment
■ The purpose of ____ is to find, recognize and describe risks that might help or prevent an organization in achieving its objectives
risk identification
note:
- Relevant, appropriate and up-to-date information is important in identifying risks.
■ The organization should identify risks, whether or not their sources are under its control.
factors to consider in risk Identification
- Tangible and intangible sources of risks
■ Causes and events
■ Threats and opportunities
■ Vulnerabilities and capabilities
■ Changes in the external and internal context
■ Indicators of emerging risks
■ The nature and value of assets and resources
■ Consequences and their impact on objectives - Limitations of knowledge and reliability of information
■ Time-related factors
■ Biases, assumptions and beliefs of those involved
The purpose of ______ is to comprehend the nature of risk and its characteristics including, the level of risk.
Risk Analysis
Note:
■ Analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use.
- _______ involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness and can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information, and the resources available.
Risk analysis
T or F
- Highly uncertain events can be difficult to quantify and will require using a combination of techniques to provide greater insight.
T
■ Risk analysis provides an input to ______ , to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods
risk evaluation
Factors to consider in Risk Analysis
■ The likelihood of events and consequences
■ The nature and magnitude of consequences
■ Complexity and connectivity
■ Time-related factors and volatility
■ The effectiveness of existing controls
■ Sensitivity and confidence levels
- The purpose of _______ is to support decisions.
- It involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.
risk evaluation
Decisions after Risk Evaluation
– Do nothing Further
– Consider Risk Treatment options
– UNdertake further analysis to better understand the risk
– Maintain existing controls
– Reconsider objectives
______ is only useful if the conclusions of the assessment are used to inform decisions and/or to identify the appropriate risk responses for the type of risk under consideration.
Risk assessment
______ recommend the assessment of inherent risk, while _____ states that risk assessment should be undertaken at inherent and at residual level.
– Internal auditors
– ISO31000
Note:
The benefit of undertaking assessment of inherent risk is that the difference between the current (residual) level and the inherent level can be identified.
One of the approaches to Risk Assessment
■ When risk assessment is being undertaken by the Board of Directors, the Chief Executive Officer (CEO) and the other top-level management of an organization.
Top-down Risk Assessment
One of the approaches to Risk Assessment
When risk assessments are undertaken by involving individual members of staff and local department management.
Bottom up Risk Assessment
Read only:
Top Down Risk Assessment advantage and Disadvantage
Adv:
– Enterprise wide Approach
– Significant risks quickly identified
– “Buy-in” from top
Dis Adv:
– Too much Focus on External Risks
– No focus on Internal ops
– Too Superficial
Read only:
Bottom Up Risk Assessment advantage and Disadvantage
Adv
– Buy in at all levels
– Ops awareness of local risks
– Varied Methodology
Dis Adv
– No focus on External
–Time Consuming
– Too Detailed
Risk Assessment Techniques
- _________
■ The use of structured questionnaires and checklists to collect information that will assist with the recognition of the significant risks. - ________
■ Collection and sharing of ideas at workshops to discuss the events that could impact the objectives, core processes or key dependencies. - _______
* Physical inspections of premises and activities and audits of compliance with established systems and procedures. - _____________
■ Analysis of the processes and operations within the organization to identify critical components that are key to success
1– Questionnaires and Checklists
2– Workshops and Brainstorming
3– Inspections and Audits
4– Flowcharts and Dependency Analysis
Risk Assessment Techniques
____________
■ An analysis of the strengths, weaknesses, opportunities, and threats faced by the organization.
■ It has the benefit that it also considers the upside of risk by evaluating opportunities in the external environment.
- One of its strengths is that it can be linked to STRATEGIC decisions.
SWOT ANALYSIS
Risk Assessment Techniques
_____________
* Considers the political, economic, social, technological, legal and ethical (or environmental) risks faced by the organization.
■ IT IS is a well-established structure with proven results for undertaking brainstorming sessions during risk assessment workshops.
PESTLE Analysis
Risk Assessment Techniques
_________
* A structured approach that ensures that NO RISKS s are omitted. IT studies are often undertaken of hazardous chemical installations and complex transport structures, such as railways and nuclear power stations.
■ It can also be applied to the analysis of the safety of products.
■ It is a very analytical and time consuming.
HAZOP (hazard and Operability
Risk Assessment Techniques
__________
■ it is a process that is being used by reliability engineers to understand potential industrial hazards and PREVENT ACCIDENTS.
■in risk management, it is used to evaluate the severe consequences of failure, how likely it is for the failure to occur and the chance of detecting the failure before it happens.
FMEA (Failures Modes and Effect Analysis
NOTE:
■ A very analytical and time-consuming approach
- Problems and defects are expensive. Customers understandably place high expectations on manufacturers and service providers to deliver quality and reliability.
■ Often, faults in products and services are detected through extensive testing and predictive modeling in the later stages of development. However, finding a problem at this point in the cycle can add significant cost and delays to schedules. The challenge is to design in quality and reliability at the beginning of the process and ensure that defects never arise in the first place.
Risk Assessment Techniques
__________
■ The first stage is to put the risk description into the middle box.
■ The causes of the risk then need to be recorded along with the preventive controls to stop the risk occurring and these are placed on the left side of the tie.
■ The impact of the risk and the identified response controls to lessen the impact of the risk are then placed on the right side of the tie.
bow tie analysis
Source - Preventive controls
Impact - Response Contols
______ is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process.
■ In addition to identifying how a product or process might fail and the effects of that failure, It also helps find the possible causes of failures and the likelihood of failures being detected before occurrence.
- It is one of the best ways of analyzing potential reliability problems early in the development cycle, making it easier for manufacturers to take quick action and mitigate failure. The ability to anticipate issues early allows practitioners to design out failures and design in reliable, safe and customer-pleasing features.
■FMEA
- When completing FMEA, it’s important to remember Murphy’s Law: “_______.” Participants need to identify all the components, systems, processes and functions that could potentially fail to meet the required level of quality or reliability. The team should not only be able to describe the effects of the failure, but also the possible causes.
Anything that can go wrong, will go wrong
THREE Criteria of FMEA
– Severity
– Occurence
– Detection
■ To determine the significance of a risk, a test should be conducted using a “_____”
benchmark test
Example of Benchmark test for risk significance
FIRM RISK SCORECARD
Financial
Infrastructure
Reputational
Marketplace
The most commonly use risk matrix is the ____, one that demonstrates the relationship between the likelihood of the risk materializing and the impact of the event should the risk materialize.
likelihood/impact matrix
Identify each Likelihood
_____
Can reasonably be expected to occur, but has only occurred 2 or 3 times over 10 years in the organization or similar organizations.
_____
Has occurred in the organization more than 3 times in the past 10 years or occurs regularly in similar organizations, or is considered to have a reasonable likelihood of occurring in the next few years.
_____
Occurred more than 7 times over 10 years in the organization or in other similar organizations, or circumstances are such that it is likely to happen in the next few years.
_____
Has occurred 9 or 10 times in the past 10 years in this organization, or circumstances have arisen that will almost certainly cause it to happen.
Unlikely
Possible
Likely
Almost Certain
Likelihood analysis and probability estimation
Source: ISO IEC 31010 Risk Assessment Techniques
a) The use of _____ to identify events or situations which have occurred in the past and hence be able to extrapolate the probability of their occurrence in the future.
b) ____ using predictive techniques.
c) ____ can be used in a systematic and structured process to estimate probability.
a.) relevant historical data
b.) Probability forecasts
c.) Expert opinion
Identify each Magnitude
_____
Serious impact on health; serious loss of reputation that will influence trust and respect for a long time; violation of law that results; large economic loss that cannot be restored.
_____
No impact on patient health; minor reduction of reputation in the short run; no violation of law; negligible economic loss which can be restored.
_____
Death or permanent reduction of health of patient; serious loss of reputation that is devasting for trust; serious violation of law; considerable economic loss that cannot be restored.
_____
Minor temporary impact on patient health; small reduction of reputation that may influence trust for a short time; violation of law that results in a warning; small economic loss that can be restored.
Severe
Small
Catastrophic
Moderate
- ______determines the nature and type of impact which could occur assuming that a particular event situation or circumstance has occurred.
- An event may have a range of impacts of different magnitudes and affect a range of different objectives and different stakeholders.
Consequence analysis
NOte:
- Consequence analysis can involve:
a. taking into consideration existing controls to treat the consequences, together with all relevant contributory factors that have an effect on the consequences;
b. relating the consequences of the risk to the original objectives;
c. considering both immediate consequences and those that may arise after a certain time has elapsed, if this is consistent with the scope of the assessment;
d. considering secondary consequences, such as those impacting upon associated systems, activities, equipment or org
4Ts of Hazard Management
____ the risk to another party
____ the risk and its likely impact
____ the risk to reduce the likely impact or exposure
____ the activity generating the risk
Transfer
Tolerate
Treat
Terminate
- _____ is the amount of risk that remains after controls are accounted for.
Residual or current level risk
___ represents the amount of risk that exists in the absence of controls.
Inherent risk
- ____ is the level of risk that is of interest to risk managers
Target level of risk
■ ______ reflects the AMOUNT and TYPE of risks that an organization is willing to PURSUE or retain or the more immediate need to take risk in order to achieve objectives.
Risk appetite
NOTE
IMMEDIATE
______ represents the long-term APPROACH of the organization to risks
Risk attitude
NOTE
LONGTERM
RISK APPETITE MATRIX
____ includes all of the risks that have already been identified, plus any emerging risks that are starting to appear
UNIVERSE OF RISK
RISK APPETTITE MATRIX
_____is the level of risk that the organization feels comfortable taking and embedding into core processes because, regardless of the likelihood of the risk materializing, the impact is so small that it would not be significant if it did materialize or there will be a likelihood of a risk materializing that is considered so remote that it is assumed that it will not occur, even though it would be very serious if it did
COMFORT ZONE
____ includes all of the risks that have high likelihood/high-impact and will be intolerable for the organization.
CRITICAL ZONE
_____
include all the risks with medium-likelihood/medium impact that will require some judgement before acceptance.
Concerned zone and cautious zone
NOTE:
RISK AVERSE = more Concerned zone
Risk Aggressive = Less concerned zone and more comfort zone
Identify Classification headings
coso
Strategic
Operations
Reporting
Compliance
SORC
Identify Classification headings
IRM
FINANCIAL
OPERATIONAL
STRATEGIC
HAZARD
FSOH - FOSH
Identify Classification headings
BS 31100
FINANCIAL
OPERATIONAL
STRATEGIC
PROGRAMME
PROJECT
SPPFO - FOSPP
Identify Classification headings
FIRM RISK SCORECARD
FINANCIAL
INFRASTRUCTURE
REPUTATIONAL
MARKETPLACE
FIRM
Identify Classification headings
PESTLE
POLITICAL
ECONOMIC
SOCIOLOGICAL
TECHNOLOGICAL
ENVIRONMENTAL
read only
Simplified business model
- Strategy
- Operations
- Tactics
- Events
- Results of Operations
ok
t or f
Categorizing risks according to a single risk classification system is always
helpful.
f.
not always
British Standard states that the number and type of risk categories employed
should be selected to suit the size, purpose, nature, complexity and context of
the organization.
- The categories should also reflect the maturity of risk management within the
organization
British Standard states that the number and type of risk categories employed
should be selected to suit the ___, ____, ____, ___ and context of
the organization.
Size
purpose
nature
complexity
The purpose of ___
- Enable the organization to identify where similar risks exist within the organization.
- Enable the organization to identify who should be responsible for setting a
strategy for the management of related or similar risks. - Enable the organization to better identify the risk appetite, risk capacity, and total risk exposure in relation to each risk, group of similar risks, or generic type of risk.
Risk Classification Systems
________
- Offers a classification system for the risks to the key dependencies in the organization.
■ It also reflects the idea that every organization should be concerned about its finances, infrastructure, reputation and marketplace success.
Firm Scorecard
- ______ is the measure of how much risk the organization SHOULD TAKE or can afford to take and this is compatible with the organization’s attitude to risks.
Risk capacity
- Risk capacity of an organization will depend on:
■ organization’s financial strength
■ robustness of its infrastructure
■ strength of its reputation
■ the brands and the competitive nature of the marketplace in which it operates
■ In simple terms, risk appetite should be within the _______ of the organization and greater than or equal to the ______ that the organization faces.
risk capacity
actual risk exposure
___ is the actual risk the organization is taking and this may not be the same as the risk appetite of the organization.
- Risk exposure
MAJOR CATEGORIES OF RISKS
MARKET R
CREDIT R
LIQUIDITY R
OPERATIONAL R
LEGAL AND REGULATORY R
BUSINESS R
STRATEGIC R
REPUTATION R
MC LOL BSR
8 MAJOR CATEGORIES OF RISKS
___ risk that changes in financial market prices and rates that will reduce the value of a security or a portfolio
MAKET RISKS
UNDER MARKET RISKS
_____ -risk that the value of a fixed-income security will fall as a result of an increase in market interest rates.
_____ -RIsk associated with volatility in stock prices
- _____arises from open or imperfectly hedged positions in particular foreign currency denominated assets and liabilities leading to fluctuations in profits or values as measured in a local currency.
_____ - risk associated with commodity prices volatility
- Interest rate risk
- Equity price risk
- Foreign exchange risk-
- Commodity price risk
8 MAJOR CATEGORIES OF RISKS
____ risk of an economic loss from the failure of a counterparty to fulfill its contractual obligations, or from the increased risk of default during the term of the transaction
CREDIT RISK
UNDER CREDIT RISK
____ -corresponds to the debtor’s incapacity or refusal to meet his/her debt obligations, whether interest or principel payments on the loan contracted, by more than a reasonable relief period from the due date..
_____
risk of taking over the collaterized, or escrowed, assets of a defaulted borrower or counterparty
______ -risk that the perceived creditworthiness of the borrower or counterparty might deteriorate.
_____ -risk due to the exchange of cash flows when a transaction is settled. This risk is greatest when payments occur in different time zones, especially for foreign exchange transactions, such as currency swaps, where notional amounts are exchanged in different currencies
Default risk
Bankruptcy risk
* Downgrade risk
Settlement risk
LIQUIDITY RISK COMPRISES OF
FUNDING LIQUIDITY RISK
TRADING LIQUIDITY RISK
UNDER LIQUIDITY RISK
_____ risk relates to a firm’s ability to raise the necessary cash to roll over its debt, to meet the cash, margin, and collateral requirements of counterparties, and to satisfy capital withdrawals.
____ often simply called liquidity risk, is the risk that an institution will not be able to execute a transaction at the prevailing market price because there is, temporarily, no appetite for the deal on the other side of the market
FUNDING LIQUIDITY RISK
TRADING LIQUIDITY RISK
8 MAJOR CATEGORIES OF RISKS
____ refers to potential losses resulting from a range of operational weaknesses including inadequate systems, management failure, faulty controls, fraud, and human errors, in the banking industry, operational risk is also often taken to include the risk of natural and man-made catastrophes (e.g.. earthquakes, terrorism) and other nonfinancial risks
OPERATIONAL RISKS
OPERATIONAL RISKS COMPRISES OF
HUMAN FACTORS RISK
TECHNOLOGY RISKS
FRAUD RISKS
8 MAJOR CATEGORIES OF RISKS
___ are risks related to legal or governmental actions that can have a material impact on the achievement of business objectives.
LEGAL AND REGULATORY RISK
8 MAJOR CATEGORIES OF RISKS
___ refers to the classic risks of the world of business, such as uncertainty about the demand for products, or the price that can be charged for those products, or the cost of producing and delivering products.
BUSINESS RISK
8 MAJOR CATEGORIES OF RISKS
___ refers to the risk of significant investments for which there is a high uncertainty about success and profitability. It can also be related to a change in the strategy of a company vis-à-vis its competitors.
STRATEGIC RISK
8 MAJOR CATEGORIES OF RISKS
_____ the potential loss to financial capital, social capital and/or market share resulting from damage to a firm’s reputation. It can be divided into two main classes: the belief that an enterprise can and will fulfill its promises to counterparties and creditors, and the belief that the enterprise is a fair dealer and follows ethical practices.
REPUTATIONAL RISK
8 MAJOR CATEGORIES OF RISKS
__-concems the potential for the failure of
one institution to create a chain reaction or domino effect on other institutions and consequently threaten the stability of financial markets and even the global economy
SYSTEMIC RISK
____ * Are being applied to lessen the likelihood of the risk occurring and minimize the impact of the risk to the organization
LOSS CONTROL
ELEMENTS OF LOSS CONTROL
___ is about reducing the likelihood of an adverse event occurring, although it will also be concerned with reducing the magnitude of an event that does occur
LOSS PREVENTION
NOTE LIKELIHOOD
ELEMENTS OF LOSS CONTROL
____ is concerned with reducing the magnitude of the event when it does materialize
DAMAGE LIMITATION
NOTE MAGNITUDE
ELEMENTS OF LOSS CONTROL
- is concerned with reducing the impact and consequences of the event. It will be concerned with ensuring the lowest cost of repairs, as well as business continuity plans to ensure that the organization can continue operations following damage to the asset that has been affected
COST CONTAINMENT
NOTE CONSEQUENCE AND IMPACT
3 SEGRAGATION OF DUTIES
SAFEKEEPING
AUTHORIZATION
RECORD KEEPING
____
- The reward for taking the risk in the first place.
■ It is simply achieving what the organization set out to achieve, by taking the risks that were embedded in the strategy, tactics and/or operations that were involved.
■ when an organization realizes that solving a particular risk-based problem has brought a benefit, rather than a cost.
UPSIDE OF RISK
- The benefits of good risk management within projects are that the project is more likely to be delivered on time, to budget and at the required quality.
- Risk management activities will assist the delivery of the project and, at the same time, help manage a situation when an outcome is different from what was expected as the project progresses.
UPSIDE OF PROJECTS
- Strategic issues are vitally important, and failure to implement strategy or the selection of an inappropriate strategy can be amongst the most devastating risks to hit an organization.
- The upside of risk in strategy is that risk management efforts help with the design of an effective and efficient strategy
UPSIDE OF STRATEGY
- Risk management evaluation of operations can enable the organization to deliver the most effective and efficient activities, operations and processes.
- By delivering the most effective and efficient operations, an organization can achieve advantages over a competitor and undertake work for a lower cost and still make a profit.
UPSIDE OF OPERATIONS