Unit 3 Flashcards
3 components of context
International context
Risk management context
External context
Internal context
Organisations structure, risk management philosophy, culture, attitudes, strategies, policies, processes and people’s values
External context
Anything outside the control of the organisation.
External stakeholder expectations, industry regulators, competitor behaviour, economic environment, PESTLE trends
Risk management contezt
Otherwise known as the RM framework (RASP)
4 TECHNIQUES to assess the external and internal context
Stakeholder mapping
Horizon scanning
PESTLE
Extended enterprise
Extended enterprise definition
4 elements used to understand the EE
The structure where a number of organisations come together in a joint endeavour to achieve outcomes that none of them could have achieved on their own.
1) Core activities of the team, function, Organization you are looking at (what is it that you do?)
2) Key inputs to those core activities
3) Key outputs from the activities
4) The external influences that can affect any of the above
PESTLE
Tool used to understand the external context or categorise risks into political, economic, social, technological, legal and enviornmental
Stakeholder definition
People and or organisations with whom they have some form of relationships, contractor influence
Stakeholder mapping
Tool used to identify and categorise stakeholders.
Stakeholders put on a matrix depending on their attitude and influence they have on achieving the orgs. Objectives (materiality of the stakeholders)
Horizon scanning
Horizon Scanning is a systematic examination of information to identify potential threats, risks, emerging issues, and opportunities allowing for better preparedness and to support decision making.
Objectives should be SMART
Specific - what do you want to accomplish exactly
Measurable - define the metrics so you can see if you met your goal at the end
Achievable - do you have the skills needed?
Relevant - do the objectives align to the strategy of the firm?
Time bound - have a specific target date for delivery
Definition of strategy
A strategy sets out how an organisation is to be successful, which is broken down into objectives across the organisation
Three levels of objectives
1) Organsiation-wide strategic objectives
2) Tactical objectives at level of departments, divisions etc. These normally focus on the implementation of strategy
3) Operational objectives of teams and individuals
what should risk criteria do?
Risk criteria should be developed to evaluate the significance of risk and to support decision making
It should consider the nature and type of uncertainties (i.e., what the categories of risk are), as well as how consequences and likelihood
are defined
Definition of risk criteria
Measures of how much risks matter to an organsiation.
What can risks attract to ?
Core processes
Objectives / stakeholder expectation
Key dependencies
Definition of key dependencies
Key things that the org. Needs to be successful; internal or external. They support the core processes of the org
Core processes
Fundamental to an organisation’s success because they are the means of delivering strategy and continuity of operations
Stakeholders
Group or groups of individuals who have a stake in the business or are affect by what the org does.
Elephant risks
We know the risks are there but ignore them / don’t recognise them / assume someone else is dealing with them. Therefore, they are unacknowledged and thus unmanaged risks
Black swan risks
Also known as surprise risks. We don’t know, what we don’t know. Therefore, they are risks we can’t manage
H&T 5 Techniques for risk assessment
1) Checklists and questionnaires
2) Workshops and brainstorming
3) Inspections and audits
4) Flowchart and dependency analysis
5) Crow sourcing techniques
Definition of emerging risks
Risks that you know little about when they are recognised
Techniques for identifying emerging risks
Horizon scanning, constant monitoring of the external environment
Short term risks
Medium term risks
Long term risks
Risks with an immediate impact
Risks whose impact becomes apparent between a few months
Impacting between one and five years after the event
FIRM risk classification technique
Used to both classify risks (identification) and impacts
F - financial (derived internally)
I - infrastructure (derived internally)
R - Reputational (derived externally)
M - marketplace (derived externally)
What is risk analysis?
It helps to determine the size and nature of risks. It does so by analysis the likelihood of the risk materialising together with the impact on the organisation. It provides an input to how a risk is to be treated
iso 31000 definition of risk analysis
The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk.
The Orange Book and Coso (2017) on risk analysis
They both place risk analysis within the broader subject of risk assessment. Therefore, risks are analysed and then prioritised. This will inform how resources are to be allocated and whether we can proceed with a strategy or have to think of different options
Other risk analysis techniques
Looking at past records, experience, literature, testing, statistical models.
Techniques to prioritise risks
How they impact objectives, likelihood of them happening, potential velocity
Likelihood definition
Term which measures the chances of a specific event occurring. It captures the expected probability and frequency of a risk
Probability
Likelihood expressed numerically (0% to 100%) - 2% of it raining today
Frequency
Likelihood expressed numerically as a frequency measurement - it rained two times today. This is then converted to a probability measure. It could thus rain more today.
how is impact measured
Most orgs used risk criteria to measure impact
Risk matrix
Combination of impact and likelihood scales on which risks are positioned
It helps prioritise risks and provide focus for the org where to put effort in
Risk vs action matrix
Action used instead of likelihood as this is hard to measure
Amount of action needed to bring the risk to an acceptable level
Proximity vs velocity
Proximity = how close an org is to a risk occurring
Velocity = measures how fast a risk can impact an org. Once it occurs. The timescale of risk impact
Proximity vs velocity
Proximity = how close an org is to a risk occurring
Velocity = measures how fast a risk can impact an org. Once it occurs. The timescale of risk impact
Risk clock speed
The rate at which the info necessary to understand and manage a risk becomes available
- slow clock speed risks are those where enough thinking time is available
- Fast clock speed risks are at or close to real time
Risk clock speed window
The range between how well organisations can deal with both fast and slow risk and still function effectively. They do so by having an established rm system
Three levels of risk rating
Inherent = level of risk before any controls put in place
Current = level of risk taking into account the current controls in place to manage it. The goal is the target level where the current mitigations get even more effective, or more controls are added
Target = level of risk that is desired because it brings the risk to the acceptable level. Risk appetite
definition of risk evaluation
After analysis a risk we must decide whether to respond to the risk or tolerate it. This all depends on the risk appetite level
COSO (2004) defines objective setting as
the board should set objectives that support the mission of the Organization that are consisten with its risk appetite
ISO 31000 sees the overall attitude of an Organization to risk as
= this can be described by a set of risk criteria
Difference between risk appetite and risk attitude
The risk attitude is concerned with the criteria surrounding risk ,and risk appetite is concerned with the amount of risk required to achieve objectives
What is a indication of risk attitudes of different Organizations
Different organizations will set their tolerance levels differently
What are the advantages of having a risk classification system, as according to the BS 31100
Helps to define the scope of RM in the org, provides a structure and framework for risk identification, and gives the opportunity to aggregate similar kinds of risks across the whole Organization.
The number and type of risk categories employed should be selected to suit the size, purpose, nature, complexity and context of the org. The categories should reflect the maturity of rm within the Organization.
Risk classification system: IRM Standard
Financial, strategic, hazard, operational
Risk classification system: Orange Book
Strategy, Governance, Operations, Legal, Safety, Financial, Commercial, People, Technology, Information, Secuirty, Project, Programme, Reputational
EM3
Summarises the responses to risks as embrace, management, mitigate, minimise
Main requirements of a project
Delivered on time, within budget and to specification
Three categories of risks that banks usually face
Market, credit and operation
Market risks
They occur due to fluctuations in the financial markets. The assets and liabilities of the bank are exposed to various kinds of market volatilities, such as changes in interest rates and foreign exchange rates. Primarily an opportunity risk
Credit risks
When the bank lends to a client there is an inherent risk of money not coming back, and this is credit risk. Credit risk is the possibility of the adverse condition in which the client does not pay back the loan amount. Control risk that has to be managed
How does BASEL 2 define operation risk
The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
ISO Guide 73 definition of stakeholder
Person or group concerned with, affected by, or perceiving themselves to be affected by an Organization
CSFSRS
Customers, staff, financiers, society, regulators, suppliers
How does the BS 31100 classify core processes
As strategic, tactical and operational
BS 31100: Strategic perspectives =
Set the future direction of the business
BS 31100: Tactical perspectives =
Are concerned with turning strategy into action by achieving change
BS 31100: Operational perspectives
Related to the day to day operations of the Organization
BPR
Business process re-engineering approach. It is a technique to ensure an org has the most effective processes and operations.
- Starts by identifying stakehodlers and their expectations.
- Core processes deliver these shared expectations
- Stakeholders in current and future activities are identified aswell as their expectations in relation to objectives. The core processes can then be defined or refined to deliver these expectations.
- Taking a BPR or core processes approach identifies the core processes that are most vulnerable to risk events. It also enables the identification of stakeholders who are more likely to be dissatisfied because their expectations have not been delivered
