Workplace - Risk Management Flashcards
How does ISO define Risk?
The effect of uncertainty on objectives.
Risk is commonly seen as something negative, but it is neither positive or negative. It is POTENTIAL–what could happen.
Uncertainty can bring good surprises (opportunities=upside risk) and bad surprises (threats=downside risk)
Antifragility
The ability to not just withstand high-impact events but to improve and benefit from them.
How does ISO define Risk Management?
Coordinated activities to direct and control an orgz with regard to risk
Known Unknowns and Unknown Unknowns
- Known knowns: events that are to be expected
- Known unknowns: uncertainties that we know exist but we dont know much about their probablility or impact
- Unknown unknowns: risks that we dont know exist
Kaplan & Mike’s Categories
- Internal and Preventable: come from within the orgz (ethics violation)
- Strategy: uncertainty that the orgz willingly accepts when it commits to a strategy (loans repaid)
- External: outside the orgz and beyond its control (laws and regulations)
Enterprise Risk (Risk Categories in the HR Context)
- Strategy: risks that affect the orgz ability to achieve its objectives
- Operations: risks that affect the ways in which the orgz creates value
- Financial Reporting: risks that affect the accuracy of info about the orgz financial performance
- Compliance: risks associated with meeting the requirements of laws and regulations
Benefits of Handling Risk
- Systematic approach or holistic alignment of risk levels and mgmt–align to the orgz strategy objectives
- Leads to a more effective response to risk
- Leads to a more consistent reponse
- Resources are not wasted
- Interrelationship and possible interactions of risks across the orgz can be understood and managed.
3 Barriers of Handling Risk
- Structural: orgz that are silo tend to respond to risk in an operational rather than strategic manner
- Cognitive: mindset lacking imagination, or one of unreasonable optimism, resistance to change
- Cultural: poor alignment of the orgz culture; inadequate communication of the culture’s risk approach
ISO has described an orgz framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:
- Managment Commitment
- Design of a framework for managing risk
- Implementing risk management
- Periodic monitoring and review of the framework
- Continual improvement of the framework
Risk Management Process
- Establish the context of risk: what is the risk appetite?
- Identify and analyze risks: gather info to evaluate risk
- Manage risk: implement risk responses
- Evaluate: audit risk controls
Risk Position
The orgz desired gain or acceptable loss in value
Risk Appetite or Risk Tolerance
The amount of uncertainty the orgz is willing to pursue or to accept to attain its risk mgmt goals
Establish the Context of Risk (Step 1 in Risk Mgmt Process)
- Know internal and external sources of risk
- Define risk criteria
- risk position
- risk appetite - Consider potential for conflict of interest
- moral hazard
- principal-agent problem
Risk appetite and Tolerance are affected by other factors, including:
- The orgz strategic goals
- The orgz characteristic attitude toward risk
- The orgz resources or risk capacity
- Externally imposed requirement
- Loss expectancy
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs.
It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:
SLE=AV*EF
Annualized Loss Expectancy (ALE)
The expected monetary loss for an asset due to risk over a one year period.
It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:
ALE=SLE*ARO
Moral Hazard
When one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss
Principal-Agent Problem
An economic concept often associated with moral hazard in employment.
An agent (EE) takes actions on behalf of a principal (Employer) but has personal incentives that may not align with those of the principal.
Risk Control
An action taken to manage a risk
Identifying Risk (Step 2 in the Risk Mgmt Process)
The goal for this phase is represented in the acronym MECE, which stands for ‘mutually exclusive and comprehensively exhaustive’
AKA: the orgz wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business.
Risk Level
Risk Level=Probability that it will occur*Impact
*Risk level can be quantified through risk scorecards or visualized in a risk matrix.
Risk Scorecard
A tool used to gather individual assessments of various characteristics of risk.
- How likely is the risk to occur
- How quickly a risk would materialize if it occurred
- How well the orgz is currently prepared for a risk
- Possible effects if the risk event occur
Risk Matrix
A simple grid (horizontal axis= probability of occurnce) and (vertical axis= severity of the impact) on the orgz if the event occurs.
*Doesnt show the degree to which the orgz or function is currently protected against the threat
PAPA Model
Prepare: events not likely to happen but will materialize quickly if they do
Act: events are both highly probable and fast moving
Park: events are slow moving and unlikely
Adapt: events are slowly materializing trends that may affect the orgz significantly
