Workplace - Risk and Rish Mangament

Question 1

What is risk

Answer 1

“the effect of uncertainty on objectives.”

Risks should be understood as having immediate, short-term, and long-term effects. The goal then is to anticipate, prioritize, and manage as many risks as is reasonably possible.

Question 2

what is risk management

Answer 2

coordinated activities to direct and control an organization with regard to risk.”

Question 3

Three risk categories

Answer 3

“known knowns,” “known unknowns,” and “unknown unknowns”:

Question 4

what are known knowns

Answer 4

events that are to be expected and so involve little uncertainty.

Question 5

what are Known unknowns

Answer 5

Known unknowns are uncertainties that we know exist but we don’t know much about their probability or impact

Question 6

Unknown unknowns

Answer 6

risks that we don’t know exist. They are the events that “blindside” an organization (or individuals or entire cultures). Nassim Taleb’s “black swan” theory is about unknown unknowns. “Black swans” are unforeseen “outlier” events that are extremely rare, have a major impact, and, when viewed in hindsight, are reasonably predictable (for example, the results of abrupt changes in technology or sudden sociopolitical shifts).

Question 7

Kaplan and Mikes categories of risk

Answer 7

Internal and preventable, External, strategy

Question 8

Risk quadrants

Answer 8

trategic—risks that affect the organization’s ability to achieve its objectives

Operational—risks that affect the myriad ways in which the organization creates value

Financial—risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition

Hazard—risks that have the potential to cause physical harm to property or people (for example, an illness or injury) in the immediate and long term

Question 9

primary barriers to risk managment

Answer 9

Structural, Cognitive, cultural

Question 10

11 principles for risk management according to ISO 310000

Answer 10

Create and protect value.

Be an integral part of all organizational processes.

Be part of decision making.

Explicitly address uncertainty.

Be systematic, structured, and timely.

Be based on the best available information.

Fit an organization’s risk and control environment.

Take into account human and cultural factors.

Be transparent and inclusive.

Be dynamic, iterative, and responsive to change.

Facilitate continual improvement of the organization.

Question 11

Iso Org Framework that supports the creation of a risk-aware and risk-intelligent culture.

Answer 11

Management commitment

Design of a framework for managing risk that includes the organization’s governance layer of explicit policies and processes designed to fulfill those policies.

Implementing risk management to determine the management approach for specific risks.

Periodic monitoring and review of the framework

Continual improvement of the framework

Question 12

Why is structural a barrier to risk management

Answer 12

Organizations that are structured in a silo fashion tend to respond to risk in an operational rather than strategic manner. They overlook dependencies within the organization that can create risks and/or interfere with proactive risk management. There are few channels for communication about risk and monitoring of practices that span the entire organization.

Question 13

Why is cognitive a barrier to risk management

Answer 13

Managing risk effectively also requires imagination and openness to change.

it takes more imagination to look beyond compliance to the realm of “what-if” scenarios—a less-certain world containing other sources of risk, especially emerging risks. Those responding to risk must also be willing to try new approaches to managing risk.

Question 14

Why is cultural a barrier to risk management

Answer 14

Differences in areas such as culture-based uncertainty avoidance and whether cultures value clarity and consistency or embrace ambiguity can greatly alter how risk is perceived. Efforts to create a risk-aware corporate culture must take such varied cultural attitudes into account.

Question 15

when you have two ongoing activietes, “Communication and Consultation” and “Monitor and Review.” explain the risk managment process

Answer 15

Establish the context of risk

identify and analyze risk

manage risk

evaluate

Question 16

what is a risk position

Answer 16

risk position can be defined as the organization’s desired gain or acceptable loss in value.

Question 17

risk appetite or risk tolerance,

Answer 17

The amount of uncertainty the organization is willing to pursue or to accept to attain its risk management goals

According to COSO, risk appetite is a high-level characterization of acceptable risk—for example, “We will not risk having open managerial positions due to poor recruitment.” Risk tolerance sets a more defined range above and below a target risk position: “We will take necessary steps to make sure that management positions are filled within 30 to 45 days.”

Question 18

Factors that effect risk appetite and tolerance

Answer 18

The organization’s strategic goals

The organization’s characteristic attitude toward risk

The organization’s resources or risk capacity.

Externally imposed requirements

Loss expectancy.

Question 19

What is Single loss expectancy (SLE)

Answer 19

is the expected monetary loss every time a risk occurs. It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:

SLE = AV x EF

Asset value may vary with inflation, market changes, and so forth. Introducing preventive measures may reduce an exposure factor.

Question 20

what is Annualized loss expectancy (ALE

Answer 20

is the expected monetary loss for an asset due to a risk over a one-year period. It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:

ALE = SLE x ARO

Question 21

What is a moral hazard

Answer 21

Moral hazard exists when one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.

Question 22

what is The principal-agent problem (or agency dilemma

Answer 22

is an economic concept often associated with moral hazard in employment. The problem arises when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal.

Question 23

what is duty of care

Answer 23

means that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury. An employer’s duty of care spans the entire employment relationship—from recruitment through employment to termination and, in some cases, beyond (for example, retirement).

Question 24

how can a organization improve its understanding of this broad a spectrum of risk?

Answer 24

Consulting experts and information sources.

Focus groups and individual interviews.

Surveys

Process analysis.

Direct observation

Question 25

Risk level (as a equation)

Answer 25

Risk level = Probability of occurrence x Magnitude of impact

Question 26

what is a risk scorecard

Answer 26

a tool used to gather individual assessments of various characteristics of risk (for example, frequency of occurrence; degree of impact, loss, or gain for the organization; degree of efficacy of current controls.

Question 27

Risk Matrix

Answer 27

Risk level is often expressed visually in a risk matrix, a simple grid in which the horizontal axis represents the probability that an event will occur and the vertical axis relates to the severity of the impact on the organization or function if the event occurs.

Question 28

PAPA MODEL

Answer 28

prepare, act, park, adapt) model for risk prioritization This model uses two axes: The vertical axis considers the speed of change and the horizontal access the degree of likelihood. The matrix can be used for both threats and opportunities. The quadrants represent recommended organizational actions.

Question 29

prepare (papa model)

Answer 29

Prepare events are not likely to happen but will materialize quickly if they do occur. That means contingency plans must be in place and early indicators defined.

Question 30

act (papa model)

Answer 30

Act events are both highly probable and fast-moving. These threats and opportunities require immediate responses in terms of enhancing the chances for opportunities and decreasing the chances of a threat occurring or creating significant damage.

Question 31

Park (PAPA MODEL)

Answer 31

Park events are slow-moving and unlikely. They merit monitoring for changes in their characteristics but not investment in mitigation or contingencies.

Question 32

what is a risk register

Answer 32

A risk register is used to identify potential risks that have been identified, however, it does not have details of the risks. it increases the transparency and accountability in an organizations risk management process

Question 33

What is a Key Risk Indicator (KRI)

Answer 33

A KRI signals when risk exposure may be increasing. It can be used to identify emerging risks to the organization. KRIs monitor risk but do not prevent risks from occurring. They are not enough in themselves to create transparency and accountability.

Question 34

MECE

Answer 34

mutually exclusive and comprehensively exhaustive. organization wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business, but it wants to avoid duplication or overlapping in the identification. Duplicate risks may mean wasted resources and burdensome reporting that could discourage compliance. Overlapping risks could lead to incomplete management of a risk, conflicts among the different owners of the risk, and loss of organizational control over the management of the risk.

Question 35

what are Upside Risk Management Tactics

Answer 35

Optimize, Share, Enhance and ignore

Question 36

what are downside risk management tactics

Answer 36

Avoid, Transfer, Mitigate, Accept

Question 37

for risk mitigation, what is avoidance mean

Answer 37

The decision not to become involved in or action to withdraw from a risk situation.

Question 38

for risk mitigation what does reduction mean

Answer 38

The actions taken to lessen the probability, negative consequence, or both associated with a risk.

Question 39

in regards to risk mitigation tactics, what is sharing mean

Answer 39

Sharing with another party the burden of loss or benefit of gain for a risk. Risk sharing can be done through insurance or other agreements. It can create new risks or modify existing risks. Relocation of the source of risk is not risk sharing. In some situations, legal, mandatory, or statutory rights can limit, prohibit, or mandate the sharing of certain risks.

Question 40

in regards to risk mitigation tactics, what is retention mean

Answer 40

The acceptance of the burden of loss or benefit of gain for a risk.

Question 41

what is the approach to optimize/downside risk management tactics

Answer 41

Eliminate uncertainty

Question 42

approach to share/transfer risk management tactics

Answer 42

redefine ownership

Question 43

Approach to enhance/mitigate risk management tactic

Answer 43

employ levers to increase or decrease effect

Question 44

approach to ignore/accept risk management tactics

Answer 44

Take no action

Question 45

what is residual risk

Answer 45

the amount of uncertainty that remains after all risk management efforts have been exhausted

Question 46

what is insider risk

Answer 46

phyiscal security,cyber threats, espionage, sabotage and theft/fraud