Workplace - Risk and Rish Mangament Flashcards
What is risk
“the effect of uncertainty on objectives.”
Risks should be understood as having immediate, short-term, and long-term effects. The goal then is to anticipate, prioritize, and manage as many risks as is reasonably possible.
what is risk management
coordinated activities to direct and control an organization with regard to risk.”
Three risk categories
“known knowns,” “known unknowns,” and “unknown unknowns”:
what are known knowns
events that are to be expected and so involve little uncertainty.
what are Known unknowns
Known unknowns are uncertainties that we know exist but we don’t know much about their probability or impact
Unknown unknowns
risks that we don’t know exist. They are the events that “blindside” an organization (or individuals or entire cultures). Nassim Taleb’s “black swan” theory is about unknown unknowns. “Black swans” are unforeseen “outlier” events that are extremely rare, have a major impact, and, when viewed in hindsight, are reasonably predictable (for example, the results of abrupt changes in technology or sudden sociopolitical shifts).
Kaplan and Mikes categories of risk
Internal and preventable, External, strategy
Risk quadrants
trategic—risks that affect the organization’s ability to achieve its objectives
Operational—risks that affect the myriad ways in which the organization creates value
Financial—risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition
Hazard—risks that have the potential to cause physical harm to property or people (for example, an illness or injury) in the immediate and long term
primary barriers to risk managment
Structural, Cognitive, cultural
11 principles for risk management according to ISO 310000
Create and protect value.
Be an integral part of all organizational processes.
Be part of decision making.
Explicitly address uncertainty.
Be systematic, structured, and timely.
Be based on the best available information.
Fit an organization’s risk and control environment.
Take into account human and cultural factors.
Be transparent and inclusive.
Be dynamic, iterative, and responsive to change.
Facilitate continual improvement of the organization.
Iso Org Framework that supports the creation of a risk-aware and risk-intelligent culture.
Management commitment
Design of a framework for managing risk that includes the organization’s governance layer of explicit policies and processes designed to fulfill those policies.
Implementing risk management to determine the management approach for specific risks.
Periodic monitoring and review of the framework
Continual improvement of the framework
Why is structural a barrier to risk management
Organizations that are structured in a silo fashion tend to respond to risk in an operational rather than strategic manner. They overlook dependencies within the organization that can create risks and/or interfere with proactive risk management. There are few channels for communication about risk and monitoring of practices that span the entire organization.
Why is cognitive a barrier to risk management
Managing risk effectively also requires imagination and openness to change.
it takes more imagination to look beyond compliance to the realm of “what-if” scenarios—a less-certain world containing other sources of risk, especially emerging risks. Those responding to risk must also be willing to try new approaches to managing risk.
Why is cultural a barrier to risk management
Differences in areas such as culture-based uncertainty avoidance and whether cultures value clarity and consistency or embrace ambiguity can greatly alter how risk is perceived. Efforts to create a risk-aware corporate culture must take such varied cultural attitudes into account.
when you have two ongoing activietes, “Communication and Consultation” and “Monitor and Review.” explain the risk managment process
Establish the context of risk
identify and analyze risk
manage risk
evaluate
what is a risk position
risk position can be defined as the organization’s desired gain or acceptable loss in value.
risk appetite or risk tolerance,
The amount of uncertainty the organization is willing to pursue or to accept to attain its risk management goals
According to COSO, risk appetite is a high-level characterization of acceptable risk—for example, “We will not risk having open managerial positions due to poor recruitment.” Risk tolerance sets a more defined range above and below a target risk position: “We will take necessary steps to make sure that management positions are filled within 30 to 45 days.”
Factors that effect risk appetite and tolerance
The organization’s strategic goals
The organization’s characteristic attitude toward risk
The organization’s resources or risk capacity.
Externally imposed requirements
Loss expectancy.
What is Single loss expectancy (SLE)
is the expected monetary loss every time a risk occurs. It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:
SLE = AV x EF
Asset value may vary with inflation, market changes, and so forth. Introducing preventive measures may reduce an exposure factor.
what is Annualized loss expectancy (ALE
is the expected monetary loss for an asset due to a risk over a one-year period. It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:
ALE = SLE x ARO
What is a moral hazard
Moral hazard exists when one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.
what is The principal-agent problem (or agency dilemma
is an economic concept often associated with moral hazard in employment. The problem arises when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal.
what is duty of care
means that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury. An employer’s duty of care spans the entire employment relationship—from recruitment through employment to termination and, in some cases, beyond (for example, retirement).
how can a organization improve its understanding of this broad a spectrum of risk?
Consulting experts and information sources.
Focus groups and individual interviews.
Surveys
Process analysis.
Direct observation
Risk level (as a equation)
Risk level = Probability of occurrence x Magnitude of impact
what is a risk scorecard
a tool used to gather individual assessments of various characteristics of risk (for example, frequency of occurrence; degree of impact, loss, or gain for the organization; degree of efficacy of current controls.
Risk Matrix
Risk level is often expressed visually in a risk matrix, a simple grid in which the horizontal axis represents the probability that an event will occur and the vertical axis relates to the severity of the impact on the organization or function if the event occurs.
PAPA MODEL
prepare, act, park, adapt) model for risk prioritization
This model uses two axes: The vertical axis considers the speed of change and the horizontal access the degree of likelihood. The matrix can be used for both threats and opportunities. The quadrants represent recommended organizational actions.
prepare (papa model)
Prepare events are not likely to happen but will materialize quickly if they do occur. That means contingency plans must be in place and early indicators defined.
act (papa model)
Act events are both highly probable and fast-moving. These threats and opportunities require immediate responses in terms of enhancing the chances for opportunities and decreasing the chances of a threat occurring or creating significant damage.
Park (PAPA MODEL)
Park events are slow-moving and unlikely. They merit monitoring for changes in their characteristics but not investment in mitigation or contingencies.
what is a risk register
A risk register is used to identify potential risks that have been identified, however, it does not have details of the risks. it increases the transparency and accountability in an organizations risk management process
What is a Key Risk Indicator (KRI)
A KRI signals when risk exposure may be increasing. It can be used to identify emerging risks to the organization. KRIs monitor risk but do not prevent risks from occurring. They are not enough in themselves to create transparency and accountability.
MECE
mutually exclusive and comprehensively exhaustive.
organization wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business, but it wants to avoid duplication or overlapping in the identification. Duplicate risks may mean wasted resources and burdensome reporting that could discourage compliance. Overlapping risks could lead to incomplete management of a risk, conflicts among the different owners of the risk, and loss of organizational control over the management of the risk.
what are
Upside Risk Management Tactics
Optimize, Share, Enhance and ignore
what are downside risk management tactics
Avoid, Transfer, Mitigate, Accept
for risk mitigation, what is avoidance mean
The decision not to become involved in or action to withdraw from a risk situation.
for risk mitigation what does reduction mean
The actions taken to lessen the probability, negative consequence, or both associated with a risk.
in regards to risk mitigation tactics, what is sharing mean
Sharing with another party the burden of loss or benefit of gain for a risk. Risk sharing can be done through insurance or other agreements. It can create new risks or modify existing risks. Relocation of the source of risk is not risk sharing. In some situations, legal, mandatory, or statutory rights can limit, prohibit, or mandate the sharing of certain risks.
in regards to risk mitigation tactics, what is retention mean
The acceptance of the burden of loss or benefit of gain for a risk.
what is the approach to optimize/downside risk management tactics
Eliminate uncertainty
approach to share/transfer risk management tactics
redefine ownership
Approach to enhance/mitigate risk management tactic
employ levers to increase or decrease effect
approach to ignore/accept risk management tactics
Take no action
what is residual risk
the amount of uncertainty that remains after all risk management efforts have been exhausted
what is insider risk
phyiscal security,cyber threats, espionage, sabotage and theft/fraud
