Sectoral Risk Management / RM Techniques

Question 1

What are the principal differences between traditional risk management and enterprise risk management?

Answer 1

TRM:
- Insurable risks only
- One-dimensional assessment
- One-by-one RM
- Siloed to one business unit
- Reactive / sporadic
- Focuses only on loss prevent
- Disjointed

ERM:
- Risks not necessarily insurable
- Multi-dimensional assessment
- Material risk analysis and interrelation
- Holistic / organisation-wide
- Proactive / continuous
- Upside / downside consideration
- Focus on business goals and adding value
- Embedded in culture / mindset

Question 2

What are the principal areas of EU-wide risk regulation?

Answer 2

• Financial services
• Environmental protection
• Health and safety

Question 3

What are principal features of the EU regulatory framework concerning financial services?

Answer 3

• No direct EU supervisory management of risk management, excluding ECB.
• EU risk management tenets, instead, usually transposed into national law (subject to gold-plating).
• EU/ECB oversees prudential risk regulation, whereas member states supervise conduct of business requirements, in accordance with any prescribed EU directive requirements.

Question 4

What does the prudential regulation of financial services comprise?

Answer 4

• Financial solvency of supervised financial institutions.
• Financial market stability.
• Maintenance of trust and integrity in monetary policy operations.

Question 5

What does the conduct of business regulation of financial services comprise?

Answer 5

• Manufacture and supply of financial services.
• Conduct of financial market participants.
• Financial crimes.

Question 6

Which organisations does the ECB supervise?

Answer 6

Systemically important financial institutions within the Eurozone, including:

• Credit institutions
• (Re)insurance undertakings
• Other institutions, whose failure, may affect the financial system (e.g. central counterparties/clearing houses)

Question 7

What are the principal financial services regulators within the UK?

Answer 7

1. BoE: Oversight of currency and financial system stability, and resolution authority.
2. PRA: Prudential regulation of banks, insurers and other systemically important institutions; joint responsibility for FSCS. Key objectives:
   - Promote safety and soundness of regulated firms;
   - Ensure insurers provide an appropriate degree of protection to policyholders;
   - Facilitate effective competition.
3. FCA: Conduct of business regulation and limited prudential regulation of smaller/non-PRA institutions; joint responsibility for FSCS; UKLA. Key objectives:
   - Ensure appropriate degree of protection for consumers.
   - Protect and enhance UK financial system integrity.
   - Promote effective competition.
4. FOS: Customer-provider dispute resolution authority.

• HM Treasury ultimately responsible for regulatory framework and expenditure of public funds.
• HMT and regulators accountable to Parliament.

Question 8

What principal areas of risk does health and safety regulation address?

Answer 8

• Risk of death, personal injury or illness, arising from organisation’s activities, against stakeholders, namely:
  1. Employees - via, by example, Employers Liability Act 1969 (maintenance of liability insurance); Reporting of Injuries, Diseases and Dangerous Occurences Regulations 2013 (reporting of significant injuries/occurrences to HSE).
  2. Customers.
  3. Proximate third parties (e.g. contractors) - via, by example, Control of Substances Hazardous to Health Regulations 2002 (consideration, prevention and control of hazardous substances via thorough risk assessment.
• Rules-based regulation exists because market-driven incentives to regulate are generally inadequate.

Question 9

How is health and safety overseen and regulated in the UK?

Answer 9

• Key employer obligation under Reg. 3(1), Management of Health and Safety at Work Regulations 1992 - suitable and efficient assessent of health and safety risks to:
  1. Employees are exposed to at work;
  2. Non-employees arising out of or in connection with the conduct of the relevant undertaking.
• Health and Safety Executive is the key regulator (under Health and Safety at Work Act 1974) and may:
  1. Implement related regulations;
  2. Inspect organisations;
  3. Take enforcement action.

Question 10

What is the process for risk assessing health and safety risks?

Answer 10

• Identifying and assessing health and safety hazards, and determining who might be affected by them.
• Taking appropriate steps to protect such stakeholder from the applicable hazards.
• Recording health and safety incidents, and reporting major incidents to the regulatory reporting agency.
• Implementing procedures governing the above.

Question 11

What is a hazard (for health and safety purposes)?

Answer 11

The potential to cause harm, including ill health and injury, damage to property, plant, products or the environment, production losses or increased liabilities.

Question 12

What three key methods existing for the identification of (health and safety) hazards?

Answer 12

• Comparative methods (checklists; audits).
• Fundamental methods (deviation analysis; hazard and operability (haz-op studies).
• Failure logic (fault trees; event trees; cause-consequence diagrams).

Question 13

What are the principal facets of a deviation analysis?

Answer 13

• Combination of (i) process condition and (ii) guide word to identify a hazard.
• For example, ‘low’ (guide word) and ‘flow’ (process condition) would create ‘low flow’ (hazard).

Question 14

What are the chief characteristics of a HazOp study?

Answer 14

• A HazOp study indicates how a deviation from normal operation, or an operational malfunction, may lead to a hazard.
• The study takes a tabullar format that links (i) a deviation + guide word with (ii) a possible cause to indicate the (iii) likely consequences and (iv) action required.

Question 15

What are the key stages of a HazOp study?

Answer 15

Four main stages:
1. Formation of HazOp team.
2. Identification of relevant system.
3. Consideration of a variations to operating parameters.
4. Identification of hazards or failure points

Question 16

What does a failure mode and effect analysis entail?

Answer 16

• Process that identifies all possible failure types or risks that could arise against a product or process, and potential failure consequences.
• Analysis outputs comprise (i) the failure mode (what could go wrong) and (ii) the effect analysis (risk consequences/likelihood/severity).

Question 17

How may a fault/event tree be used?

Answer 17

• Fault/event trees characterise risk outputs according to type of the inputs necessary to precipitate the relevant output.
• A risk output may be subject to an ‘or tree’ - the output may arise if any one of the attendant inputs occurs.
• A risk output may also be characterised using an ‘and tree’ - the output would only transpire if all of the related inputs occurs.

Question 18

What key issues does environmental regulation address?

Answer 18

• Per se environmental problems: Pollution; resource shortages; habitat destruction; noise pollution; greenhouse geological issues.
• Stakeholder considerations: Asymetrical information (organisations know more about environmental impacts than stakeholders); public good (stakeholders do not receive full benefits of environmental protection but may incur all costs).

Question 19

What are the six stages of the risk management process?

Answer 19

1. Confirm RM strategy.
2. Identify risk.
3. Assess and prioritise.
4. Challenge and evaluate controls.
5. Action (as appropriate).
6. Monitor and report.

=> RM therefore adds value to the organisation.

Question 20

What are the differences between explicit and implicit risk management techniques?

Answer 20

• Implicit: Subliminal/subconscious RM adjustments that are unlikely to lead to substantive improvements in an organisation’s risk profile.
• Explicit: Usage of a formalised risk management framework to ensure risk management decision support achievement of organisational objectives, accounting for stakeholder risk preferences..

Question 21

What are the three core elements of the ISO 31000:2018 risk management standard?

Answer 21

1. Risk management architecture (committees; reporting).
2. RM strategy (risk appetite; risk policies).
3. RM protocols (processes; procedures).
   - Policy: RM aims/objectives; RM framework processes; RM responsibilities/roles; governance/committee arrangements; divisional policies.
   - Procedures: Specific guidelines applicable to higher risk tasks; financial procedures; dedicated RM procedures (e.g. escalations; critical system recovery); reporting.
   - Technology: Use of internet/networke technology to support risk monitoring, monitoring and control.

Question 22

What are the key facets of a risk appetite statement?

Answer 22

• Outlines types and levels of risk an organisational may tolerate in pursuit of its objectives.
• Stakeholder risk preferences should be accommodated in defining risk appetite.
• Larger organisations may make their risk appetite statements public.
• Public companies often include risk appetite particulars in their annual reports.
• Different risk appetites may exist for different risk categories and business areas.

Question 23

What are the key tenets of ISO 31000:2018 in terms of establishing context?

Answer 23

1. ISO 31000:2018 directs the planning, implementation, measurement and development of a risk management system.
2. As part of defining this system, risk context must be established; namely, understanding the internal and external drivers affecting organisational risk (e.g. physical environment, technology, organisational structures, processes).
3. Context helps an organisation understand its risks, how these relate to its objectives and how these may be controlled.
4. Context may be established by (i) risk appetite, (ii) risk treatment, (iii) communication and consultation, (iv) recording and reporting, and (v) monitoring and review.

Question 24

What does the National Standards Agency of Ireland do?

Answer 24

1. The NSAI provides additional guidance to Irish organisations on the application of ISO:31000/2018 (via NWA:31000/2011). This includes risk management implementation and assessment guidance, covering, amongst other items:
   - RM framework design;
   - RM policy drafting;
   - Allocation of RM accountability;
   - RM communication mechanisms;
   - Risk assessment techniques;
   - Risk treatment options; and
   - Design of an effective risk register.

Question 25

What is the Orange Book?

Answer 25

1. RM tool, primarily directed toward governmental organisations but relevant to all.
2. Comprises an RM guide, rather than a set of regulations.
3. Posits a principles-based set of guidance, covering:
   - Governance and leadership;
   - RM integration (into organisation and activities);
   - Collaboration and communication;
   - RM processes;
   - Risk review and reporting.

Question 26

What are the principal features of the Institute of Risk Management Standard 2002?

Answer 26

1. Similar approach to ISO:31000.
2. Free to use, shorter ISO:31000 and in 14 languages.
3. Has not been updated as frequently as ISO:31000.
4. Not prescriptive - best practice benchmark to support design and implementation of effective RM frameworks.
5. RMS 2002 characterises RM as essential in all organisations, complementing strategic and operational management.

See also (i) Standard Deviations: A Risk Practitioners Guide to ISO:31000/2018 and (ii) From the Cube to the Rainbow Helix: A Risk Practitioners Guide to the COSO ERM Frameworks.

Question 27

What are the principles features of the Guideline Control Objectives for Information and Related Technologies (COBIT) (6th Edition) by the Information Systems Audit and Control Association (ISACA)?

Answer 27

• Good practice framework control of IT-related risks, linking IT risks to business goals, across five elements.

1. Corporate governance principles:
   - Providing stakeholder value;
   - Holistic approach;
   - Dynamic governance system;
   - Governance distinct from management;
   - Tailored to enterprise needs; and
   - End-to-end governance system.
2. Generic process descriptions for IT risk governance.
3. Control objectives.
4. Management guidelines.
5. Process maturity models.