Workplace - Risk Management Flashcards
How does ISO define Risk?
The effect of uncertainty on objectives.
Risk is commonly seen as something negative, but it is neither positive or negative. It is POTENTIAL–what could happen.
Uncertainty can bring good surprises (opportunities=upside risk) and bad surprises (threats=downside risk)
Antifragility
The ability to not just withstand high-impact events but to improve and benefit from them.
How does ISO define Risk Management?
Coordinated activities to direct and control an orgz with regard to risk
Known Unknowns and Unknown Unknowns
- Known knowns: events that are to be expected
- Known unknowns: uncertainties that we know exist but we dont know much about their probablility or impact
- Unknown unknowns: risks that we dont know exist
Kaplan & Mike’s Categories
- Internal and Preventable: come from within the orgz (ethics violation)
- Strategy: uncertainty that the orgz willingly accepts when it commits to a strategy (loans repaid)
- External: outside the orgz and beyond its control (laws and regulations)
Enterprise Risk (Risk Categories in the HR Context)
- Strategy: risks that affect the orgz ability to achieve its objectives
- Operations: risks that affect the ways in which the orgz creates value
- Financial Reporting: risks that affect the accuracy of info about the orgz financial performance
- Compliance: risks associated with meeting the requirements of laws and regulations
Benefits of Handling Risk
- Systematic approach or holistic alignment of risk levels and mgmt–align to the orgz strategy objectives
- Leads to a more effective response to risk
- Leads to a more consistent reponse
- Resources are not wasted
- Interrelationship and possible interactions of risks across the orgz can be understood and managed.
3 Barriers of Handling Risk
- Structural: orgz that are silo tend to respond to risk in an operational rather than strategic manner
- Cognitive: mindset lacking imagination, or one of unreasonable optimism, resistance to change
- Cultural: poor alignment of the orgz culture; inadequate communication of the culture’s risk approach
ISO has described an orgz framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:
- Managment Commitment
- Design of a framework for managing risk
- Implementing risk management
- Periodic monitoring and review of the framework
- Continual improvement of the framework
Risk Management Process
- Establish the context of risk: what is the risk appetite?
- Identify and analyze risks: gather info to evaluate risk
- Manage risk: implement risk responses
- Evaluate: audit risk controls
Risk Position
The orgz desired gain or acceptable loss in value
Risk Appetite or Risk Tolerance
The amount of uncertainty the orgz is willing to pursue or to accept to attain its risk mgmt goals
Establish the Context of Risk (Step 1 in Risk Mgmt Process)
- Know internal and external sources of risk
- Define risk criteria
- risk position
- risk appetite - Consider potential for conflict of interest
- moral hazard
- principal-agent problem
Risk appetite and Tolerance are affected by other factors, including:
- The orgz strategic goals
- The orgz characteristic attitude toward risk
- The orgz resources or risk capacity
- Externally imposed requirement
- Loss expectancy
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs.
It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:
SLE=AV*EF
Annualized Loss Expectancy (ALE)
The expected monetary loss for an asset due to risk over a one year period.
It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:
ALE=SLE*ARO
Moral Hazard
When one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss
Principal-Agent Problem
An economic concept often associated with moral hazard in employment.
An agent (EE) takes actions on behalf of a principal (Employer) but has personal incentives that may not align with those of the principal.
Risk Control
An action taken to manage a risk
Identifying Risk (Step 2 in the Risk Mgmt Process)
The goal for this phase is represented in the acronym MECE, which stands for ‘mutually exclusive and comprehensively exhaustive’
AKA: the orgz wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business.
Risk Level
Risk Level=Probability that it will occur*Impact
*Risk level can be quantified through risk scorecards or visualized in a risk matrix.
Risk Scorecard
A tool used to gather individual assessments of various characteristics of risk.
- How likely is the risk to occur
- How quickly a risk would materialize if it occurred
- How well the orgz is currently prepared for a risk
- Possible effects if the risk event occur
Risk Matrix
A simple grid (horizontal axis= probability of occurnce) and (vertical axis= severity of the impact) on the orgz if the event occurs.
*Doesnt show the degree to which the orgz or function is currently protected against the threat
PAPA Model
Prepare: events not likely to happen but will materialize quickly if they do
Act: events are both highly probable and fast moving
Park: events are slow moving and unlikely
Adapt: events are slowly materializing trends that may affect the orgz significantly
Key Risk Indicators (KRIs)
- Metrics that provide an early signal of increasing risk exposures
- Are strategically aligned with strategic objectives
- Developed by considering the root causes of risks and intermediate events that may signal changes
- Ignoring alerts makes them ineffective and opens the orgz up to unnecessary risk
- Identifying KRIs puts an orgz in front of the risk it is trying to manage
Risk Register
Lists information about and responsibility for managing specific risks
- risk category
- risk event
- risk classification
- KRIs
- risk mgmt controls
- risk owners
- reporting requirements
Risk Mgmt (Step 3 in the Risk Mgmt Process)
Upside Risk Mgmt Tacts
- Optimize
- Share
- Enhance
- Ignore
Approach
- Eliminate Uncertainty
- Redefine Onwership
- Emloy levers to increase or decrease effect
- Take no action
Downside Risk Mgmt Tactics
- Avoid
- Transfer
- Mitigate
- Accept
Residual Risk
The amount of uncertainty that remains after all risk mgmt efforts have been exhausted
As with all performance measurement, HRs risk mgmt performance targets should:
- Be strategically focused
- Combine activities and results
- Combine lagging and leading metrics
- Modify risks related to noncompliance
- Instilling risk mgmt principles in the orgz members and processes
Contingency Plan
A protocol that an orgz implements when an identified risk event occurs.
*Emergency preparedness and business continuity require: Preparedness for forseen and unforseen events.
Crisis Mgmt Planning and Readiness Process
- Identify and Manage Risk
- Develop crisis mgmt plan
- Train, test, drill
- Learn
- Evaluate and revise plans as needed
Also
- Activiate plans
- Recover, learn, improve
Contingency Plans Include
Policies, Communication, Continuity, Evaluation, Training
Types of Threats
- Security Threats: cyber threats, physical security
- Illness and Injury: physical, chemical, biological
- Drug Use: illegal or legal drugs or alcohol before/during/after working hours
Evaluate (Step 4 in the Risk Mgmt Process)
- Increase transparency
- Confirm compliance
- Assess effectiveness of individual strategies
- Assess effectiveness of orgz risk mgmt framework
- Continually improve risk mgmt skills
What is included in Evaluation
Conduct de-briefs and incident investigations
Facilitate and investigate whistleblowing charges (and prevent retaliation)
Conduct audits (health & safety, compliance, process)
Quality Assurance and CI
Q&A: help ensure that work is performed according to standards
CI: orgz approaches to improve/maintain the quality of risk mgmt processes
- Risk MGMT is not static; it is continuous activity.
- QA and CI help an orgz remain vigilant
