Workplace - Risk Management

Question 1

How does ISO define Risk?

Answer 1

The effect of uncertainty on objectives.

Risk is commonly seen as something negative, but it is neither positive or negative. It is POTENTIAL–what could happen.

Uncertainty can bring good surprises (opportunities=upside risk) and bad surprises (threats=downside risk)

Question 2

Antifragility

Answer 2

The ability to not just withstand high-impact events but to improve and benefit from them.

Question 3

How does ISO define Risk Management?

Answer 3

Coordinated activities to direct and control an orgz with regard to risk

Question 4

Known Unknowns and Unknown Unknowns

Answer 4

1. Known knowns: events that are to be expected
2. Known unknowns: uncertainties that we know exist but we dont know much about their probablility or impact
3. Unknown unknowns: risks that we dont know exist

Question 5

Kaplan & Mike’s Categories

Answer 5

1. Internal and Preventable: come from within the orgz (ethics violation)
2. Strategy: uncertainty that the orgz willingly accepts when it commits to a strategy (loans repaid)
3. External: outside the orgz and beyond its control (laws and regulations)

Question 6

Enterprise Risk (Risk Categories in the HR Context)

Answer 6

1. Strategy: risks that affect the orgz ability to achieve its objectives
2. Operations: risks that affect the ways in which the orgz creates value
3. Financial Reporting: risks that affect the accuracy of info about the orgz financial performance
4. Compliance: risks associated with meeting the requirements of laws and regulations

Question 7

Benefits of Handling Risk

Answer 7

1. Systematic approach or holistic alignment of risk levels and mgmt–align to the orgz strategy objectives
2. Leads to a more effective response to risk
3. Leads to a more consistent reponse
4. Resources are not wasted
5. Interrelationship and possible interactions of risks across the orgz can be understood and managed.

Question 8

3 Barriers of Handling Risk

Answer 8

1. Structural: orgz that are silo tend to respond to risk in an operational rather than strategic manner
2. Cognitive: mindset lacking imagination, or one of unreasonable optimism, resistance to change
3. Cultural: poor alignment of the orgz culture; inadequate communication of the culture’s risk approach

Question 9

ISO has described an orgz framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:

Answer 9

1. Managment Commitment
2. Design of a framework for managing risk
3. Implementing risk management
4. Periodic monitoring and review of the framework
5. Continual improvement of the framework

Question 10

Risk Management Process

Answer 10

1. Establish the context of risk: what is the risk appetite?
2. Identify and analyze risks: gather info to evaluate risk
3. Manage risk: implement risk responses
4. Evaluate: audit risk controls

Question 11

Risk Position

Answer 11

The orgz desired gain or acceptable loss in value

Question 12

Risk Appetite or Risk Tolerance

Answer 12

The amount of uncertainty the orgz is willing to pursue or to accept to attain its risk mgmt goals

Question 13

Establish the Context of Risk (Step 1 in Risk Mgmt Process)

Answer 13

1. Know internal and external sources of risk
2. Define risk criteria
   - risk position
   - risk appetite
3. Consider potential for conflict of interest
   - moral hazard
   - principal-agent problem

Question 14

Risk appetite and Tolerance are affected by other factors, including:

Answer 14

1. The orgz strategic goals
2. The orgz characteristic attitude toward risk
3. The orgz resources or risk capacity
4. Externally imposed requirement
5. Loss expectancy

Question 15

Single Loss Expectancy (SLE)

Answer 15

The expected monetary loss every time a risk occurs.

It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula:

SLE=AV*EF

Question 16

Annualized Loss Expectancy (ALE)

Answer 16

The expected monetary loss for an asset due to risk over a one year period.

It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula:

ALE=SLE*ARO

Question 17

Moral Hazard

Answer 17

When one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss

Question 18

Principal-Agent Problem

Answer 18

An economic concept often associated with moral hazard in employment.

An agent (EE) takes actions on behalf of a principal (Employer) but has personal incentives that may not align with those of the principal.

Question 19

Risk Control

Answer 19

An action taken to manage a risk

Question 20

Identifying Risk (Step 2 in the Risk Mgmt Process)

Answer 20

The goal for this phase is represented in the acronym MECE, which stands for ‘mutually exclusive and comprehensively exhaustive’

AKA: the orgz wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business.

Question 21

Risk Level

Answer 21

Risk Level=Probability that it will occur*Impact

*Risk level can be quantified through risk scorecards or visualized in a risk matrix.

Question 22

Risk Scorecard

Answer 22

A tool used to gather individual assessments of various characteristics of risk.

• How likely is the risk to occur
• How quickly a risk would materialize if it occurred
• How well the orgz is currently prepared for a risk
• Possible effects if the risk event occur

Question 23

Risk Matrix

Answer 23

A simple grid (horizontal axis= probability of occurnce) and (vertical axis= severity of the impact) on the orgz if the event occurs.

*Doesnt show the degree to which the orgz or function is currently protected against the threat

Question 24

PAPA Model

Answer 24

Prepare: events not likely to happen but will materialize quickly if they do

Act: events are both highly probable and fast moving

Park: events are slow moving and unlikely

Adapt: events are slowly materializing trends that may affect the orgz significantly

Question 25

Key Risk Indicators (KRIs)

Answer 25

1. Metrics that provide an early signal of increasing risk exposures
2. Are strategically aligned with strategic objectives
3. Developed by considering the root causes of risks and intermediate events that may signal changes
4. Ignoring alerts makes them ineffective and opens the orgz up to unnecessary risk
5. Identifying KRIs puts an orgz in front of the risk it is trying to manage

Question 26

Risk Register

Answer 26

Lists information about and responsibility for managing specific risks

• risk category
• risk event
• risk classification
• KRIs
• risk mgmt controls
• risk owners
• reporting requirements

Question 27

Risk Mgmt (Step 3 in the Risk Mgmt Process)

Answer 27

Upside Risk Mgmt Tacts

• Optimize
• Share
• Enhance
• Ignore

Approach

• Eliminate Uncertainty
• Redefine Onwership
• Emloy levers to increase or decrease effect
• Take no action

Downside Risk Mgmt Tactics

• Avoid
• Transfer
• Mitigate
• Accept

Question 28

Residual Risk

Answer 28

The amount of uncertainty that remains after all risk mgmt efforts have been exhausted

Question 29

As with all performance measurement, HRs risk mgmt performance targets should:

Answer 29

1. Be strategically focused
2. Combine activities and results
3. Combine lagging and leading metrics
4. Modify risks related to noncompliance
5. Instilling risk mgmt principles in the orgz members and processes

Question 30

Contingency Plan

Answer 30

A protocol that an orgz implements when an identified risk event occurs.

*Emergency preparedness and business continuity require: Preparedness for forseen and unforseen events.

Question 31

Crisis Mgmt Planning and Readiness Process

Answer 31

1. Identify and Manage Risk
2. Develop crisis mgmt plan
3. Train, test, drill
4. Learn
5. Evaluate and revise plans as needed

Also

6. Activiate plans
7. Recover, learn, improve

Question 32

Contingency Plans Include

Answer 32

Policies, Communication, Continuity, Evaluation, Training

Question 33

Types of Threats

Answer 33

1. Security Threats: cyber threats, physical security
2. Illness and Injury: physical, chemical, biological
3. Drug Use: illegal or legal drugs or alcohol before/during/after working hours

Question 34

Evaluate (Step 4 in the Risk Mgmt Process)

Answer 34

1. Increase transparency
2. Confirm compliance
3. Assess effectiveness of individual strategies
4. Assess effectiveness of orgz risk mgmt framework
5. Continually improve risk mgmt skills

Question 35

What is included in Evaluation

Answer 35

Conduct de-briefs and incident investigations

Facilitate and investigate whistleblowing charges (and prevent retaliation)

Conduct audits (health & safety, compliance, process)

Question 36

Quality Assurance and CI

Answer 36

Q&A: help ensure that work is performed according to standards

CI: orgz approaches to improve/maintain the quality of risk mgmt processes

• Risk MGMT is not static; it is continuous activity.
• QA and CI help an orgz remain vigilant