Risk Management Lecture 1 Flashcards
What is the formal definition of risk?
The estimated frequency and potential impact of future loss.
What is the oversimplified risk equation?
Risk ($/year) =
potential impact of an event on the business $ amount of lost revenue
*
estimated frequency of such events (# of events per year)
What is the official equation for calculating risk?
ALE = SLE * ARO
ALE (Annual loss expectancy) = SLE (single loss expectancy) *ARO (Annualized Rate of Occurrence)
What is SLE(Single Loss Expectancy)?
SLE is a defined as a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place.
What is ARO (Annualized Rate of Occurrence)?
ARO is the value that represents that estimated frequency of a specific threat taking place within a 12-month period. For example, ARO = 2, means event takes place twice a year; ARO = 0.5, means event takes place once for every two years; ARO = 0, means event won’t happen at all.
What does an ARO(Annualized Rate of Occurence) of 5 mean?
Since ARO is based on a 12 month period that means we expect 5 events to take place in a 12 month span.
According to COSO(Committee of Sponsoring Organizations)
What is ERM (Enterprise Risk Management) ?
A process
Effected by an entities:
Board of directors,
Management,
and other personnel
Applied in a strategic-setting and across the enterprise
designed to identify potential events that may effect the entity
And manage the risk within its appetite
To provide reasonable assurance in achieving the entities roles.
What is risk appetite defined by COSO?
Risk appetite is the amount of risk,
on a broad level
that an organization is willing to accept
in pursuit of its business objectives
What are the key benefits of following a common framework for managing enterprise risk?
- Adopt a common risk language
- Conduct an enterprise risk assessment to identify and Prioritise
- Perform a gap analysis of the current and target capabilities around managing the critical risks
- Make Informed business decisions at all levels of an organization using repeatable process
- Align risk management effort with company’s vision, goals, and objectives
According to COSO what is the purpose of KRIs(Key risk indicators)?
Key risk indicators are metrics used by organizations to provide an early
signal of increasing risk exposures in various areas of the enterprise
What are the various roles KRIs have within an organization?
Hint: 6
- Quanifiable early warning signals
- Timely monitoring of potential risks
- Sufficient time for preparing risk mitigation programs
- Clear perspective into organizations risk position
- Better insight into risks and controls
- Awareness on risk patterns and trends
What are the features of good KRIs?
KRIs can be early warning signals
KRIs address the key risk drivers
KRIs must be specific to business activity
KRIs are best identified via data and process analysis
KRIs should help with business decision making
KRI thresholds should link to risk appetite
What are Leading(Proactive) Indicators?
Leading indicators identify emerging trends
for risks and enable management to take
proactive steps to prevent events from
occurring
Eg.
• % of employees that rated work environment
below satisfactory in survey
• # of clients who complained on social media
• # of employees who can access sensitive
customer data
What is a Lagging(Detective) indicator?
Lagging indicators may be considered
“detective” in nature and provide
information about events that have
occurred in the past
eg.
Medical claims specialist turnover
• # of privacy lawsuits filed by clients
• # of system failures per month
• # of customer complaints
What are the 3 lines of defense in the “3 Lines of defense model”?
- Business and IT Functions
- IT Risk Management Functions
- Internal audits
