13. Risk identification

Question 1

What are the 3 main sources of risk?

Answer 1

• Stakeholders
• Governance
• External events

Question 2

How do stakeholders give rise to risks

Answer 2

• Counterparty risk
• Litigation risk
• Misalignment of incentives risk
• Adverse selection risk
• Moral hazard risk
• Reputation risk
• Market conduct risk
• Operational risk
• Key person risk

Question 3

How does governance give rise to risks

Answer 3

• If not sufficient RM process, then absence of sufficient processes is a source of risk

Question 4

How do external events give rise to risks

Answer 4

• Natural disasters
• Utility failure e.g. loadshedding
• War
• Crime
• Corruption
• Political instability
• Resource
• Pollution
• Climate change
• Demographics
• Changes in tastes
• Foreign affairs
• Technology and economic risks

Question 5

List some economic sources of risk

Answer 5

• GDP
• Sovereign credit rating
• Unemployment rate
• Interest rate
• Inflation rate
• Balance of trade (export more than import else debt&raquo_space; sovereign rating affected)
• FX rates
• Tax rates
• Foreign investment flows
• Value of commodities
• Business confidence

Question 6

Outline propertis of emerging risks

Answer 6

• Either new risks or changes in already known risks (or the effectiveness of their controls)
• Subject to high levels of uncertainty and ambiguity
• Difficult to quantify with traditional risk assessment techniques
• Important as could be new opportunity / have major impact on profitabilitt, operations or strategy

Question 7

Emerging risk trends giving rise to risk management challenges

Answer 7

• Globalisation
• Technology
• Changing market structures
• Restructuring business

Question 8

What is cyber crime?

Answer 8

• Financial loss, disruption or damage to reputation from some failure of IT systems

Question 9

Give examples of cyber crime

Answer 9

o Hacking
o Security breaches
o Espionage
o Data theft
o Extortion
o Privacy breaches
o Cyber terrorism

Question 10

How would you identify and control cyber crime

Answer 10

Identification
* Horizon scanning with experts and external info

Controls
* Strong IT security (e.g. firewalls, malware protection)
* Clear policies and incident management process
* Regular monitoring
* Cyber risk insurance

Question 11

What is climate change?

Answer 11

• Risk arising from adverse changes in physical environment and secondary impacts in the economy at a regional or global scale

Question 12

What are the 3 classification effects of climate risk?

Answer 12

o Physical – relates to first-order effects of environmental changes
o Transitional – arises from shift to low carbon economy
o Liability – arises from injured parties wanting compensation

Question 13

How would you assess climate risk

Answer 13

o Forward looking techniques allowing for constraints and dynamic interactions

Question 14

List emerging risk

Answer 14

• Cybercrime
• Climate change
• Cloud computing
• Social media
• Fake news
• Legacy systems
• Automation
• Unknown risks

Question 15

What is the difference between inherent and residual risk

Answer 15

• Inherent risk- risk to org without any risk management actions to change likelihood/impact
• Residual risk – remaining risk after management has taken action to alter likelihood/impact
  o May be secondary risk from take another risk response action

Question 16

A.I.A.E.U.R

Outline the risk identification process

Answer 16

1. Analyse business operations and wider environment. Ensuring clear business objectives
2. Identify key business risks in structured way
3. Obtain agreement on risks faced, relationships between them and accountabilities of each risk and its management
4. Evaluate risks in terms of probability, severity and interdependency, gross and net of existing controls
5. Produce / update risk register, prioritising top risks for further analyses, quantification and risk mitigation
6. Review risk register regularly, especially during times of change. (Ideally integrate assessments into everyday business operations)

Question 17

idea generation tools to identify risks

Give examples of risk identification tools

Answer 17

• SWOT
• Risk checklist
• Case studies
• Risk prompts lists
• Process analysis
• Risk taxonomy
• Horizon scanning

Question 18

techniques to implement tools

Give examples of risk identification techniques

Answer 18

• Brainstorming
• Surveys
• Delphi meetings
• Interviews
• Working groups
• Gap analysis

Question 19

What is a risk register

Answer 19

Document detailing all risks faced by company

Question 20

List the desired features of a risk register

Answer 20

• Risk numbering system
• Risk categories for each risk- must accommodate risks that fall in different categories
• Risk description
• Risk source
• Risk assessment
  o Frequency
  o Severity
  o Duration
  o Correlation
• Risk management
  o Prioritation
  o Risk control
  o Risk response
  o Risk costs
  o Residual risks
  o Who is responsible?
• Risk monitoring
  o Effectiveness of risk control cycle
  o Risk occurrence
  o Risk damage
  o Risk concerns

Question 21

What is a risk map?

Answer 21

illustrates effect risk may have on company by ranking risk exposures by severity on x-axis and probability on y-axis.
o May also help show results of how effective risk control is by mapping inherent and residual risks

Question 22

What is a heat map

Answer 22

• Heat map plots severity against control effectiveness rating

Question 23

What is the problem of bias?

Answer 23

when risks are not identified, assessed or reported in a true and honest way

Question 24

Give examples of bias

Answer 24

• Overconfidence
• Anchoring
• Representative heuristic

Question 25

How can you reduce bias?

Answer 25

• Incorporating checks and balances into risk identification and assessment process, e.g.
   Independent review
   Referencing similar projects
• Introducing optimism bias, where capital cost is increased by % based on past cost over-runs